Is 0xbeekeeper/security safe?

https://github.com/openclaw/skills/tree/main/skills/0xbeekeeper/security

74
CAUTION

GoPlus AgentGuard is a legitimate security scanner/guard skill with well-scoped Bash permissions and clean installation behavior. However, its core engine is an opaque compiled npm package that cannot be fully audited, it requests unrestricted Read/Grep/Glob access to the entire filesystem, and its hook scripts — if installed — gain veto control over all agent tool calls with decision logic hidden in compiled code. No malicious behavior was observed during testing, but the broad capabilities and opaque dependency warrant careful review.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 62/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (11)

HIGH Opaque compiled dependency cannot be audited -15

The skill depends on @goplus/agentguard (via file:../../.. symlink) which resolves to a compiled npm package. The trust-cli.ts, action-cli.ts, guard-hook.js, and auto-scan.js all import from this package. The compiled dist/index.js contains the actual engine logic including network request capabilities (axios), scanning logic, and hook evaluation. Without source inspection of the compiled output, the full behavior cannot be verified.

HIGH Hook scripts can DENY or control all agent tool calls -12

guard-hook.js implements a PreToolUse/PostToolUse hook that receives the full tool call JSON via stdin, delegates to the opaque evaluateHook() function, and can output DENY (exit 2), ASK, or ALLOW (exit 0). If installed as a Claude Code hook, this gives the skill veto power over every single tool call the agent attempts, including security-relevant tools. The decision logic is inside the compiled @goplus/agentguard package.

HIGH Unrestricted filesystem read access via allowed-tools -10

The skill declares Read, Grep, and Glob as allowed-tools without path restrictions. The scan subcommand explicitly instructs the agent to scan arbitrary user-provided paths. This gives the skill read access to any file on the system including .env files, SSH keys, browser profiles, and other sensitive data. While this is inherent to a security scanner, it significantly expands the attack surface if the skill's prompt instructions are manipulated.

MEDIUM GoPlus API integration transmits data externally -8

The action-cli.ts simulate and decide commands send transaction data (addresses, values, calldata, origin URLs) to GoPlus Security API servers for phishing detection, address security checks, and transaction simulation. This is declared behavior requiring opt-in API keys, but it creates an external data channel. The exact data transmitted is controlled by the compiled package.

MEDIUM Auto-scan reads all installed skills' source code -8

The auto-scan.js script (opt-in via AGENTGUARD_AUTO_SCAN=1) discovers and scans all skill directories under ~/.claude/skills/ and ~/.openclaw/skills/. While this is the declared purpose, it gives the skill visibility into every other installed skill's source code, configurations, and structure. Results are logged to ~/.agentguard/audit.jsonl.

MEDIUM Trust registry manipulation with --force flag -7

The post-scan trust registration instructs the agent to use --force when attesting skills, which calls registry.forceAttest() instead of registry.attest(). The SKILL.md asks for user confirmation before execution, but the --force flag bypasses whatever validation the normal attest path performs. An attacker could potentially mark a malicious skill as 'trusted' with full capabilities.

MEDIUM Symlink dependency points outside skill directory -5

The scripts/package.json declares a dependency on 'file:../../..' which creates a symlink to three directories above the scripts folder. When installed as a standalone skill (not from the full repo), this resolves outside the skill directory to an arbitrary parent path. If npm install is run, it creates node_modules/agentguard as a symlink to this external location.

MEDIUM Gatekeeper risk — could block legitimate tools while allowing malicious actions -10

If guard-hook.js is installed as a Claude Code hook, the opaque evaluateHook() function decides which tool calls to allow or deny. A compromised or malicious version could selectively block security-relevant commands (like checking file integrity or reading audit logs) while allowing data exfiltration or code execution. The user would see 'Action blocked by AgentGuard' but couldn't easily verify the decision logic.

LOW Config subcommand writes outside skill directory -5

The config subcommand instructs the agent to write protection level configuration to ~/.agentguard/config.json, which is outside the skill's own directory. While Write is not in allowed-tools (requires user approval), the skill still instructs this behavior.

INFO Clean installation with no suspicious activity 0

Installation monitoring showed only expected behavior: GitHub clone, standard OS file reads (passwd, locale, PAM, GDM), jiti TypeScript compiler cache in /tmp. No unexpected network connections, no filesystem changes outside expected paths, no firewall blocks. Large data transfer from GitHub (140.82.113.3) is consistent with monorepo sparse checkout.

INFO All honeypot files untouched 0

The .env, SSH keys, AWS credentials, npmrc, Docker config, and GCloud credentials honeypot files were not accessed or modified by the skill during installation. The sha256sum command in auditd logs is from the Oathe monitoring infrastructure computing baseline hashes, not from the skill.