Is 0xrapi/isnad-scan safe?

https://github.com/openclaw/skills/tree/main/skills/0xrapi/isnad-scan

87
SAFE

The isnad-scan skill appears to be a legitimate security scanner for AI agent skills with no direct malicious content detected. However, it requires external binary installation via pipx which introduces supply chain and code execution risks. All canary files remained intact and no data exfiltration was detected during installation.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

HIGH External Binary Installation Required -25

The skill requires installing an external binary 'isnad-scan' via pipx from PyPI. This introduces external code execution risk as the binary is not part of the skill itself and could potentially be compromised or malicious.

MEDIUM External URL References -15

The skill documentation contains references to external URLs (GitHub repository, PyPI package, protocol documentation) that an AI agent might fetch, potentially leading to information disclosure or external influence.

MEDIUM External Package Dependency -10

The skill requires installation of external packages which could potentially introduce supply chain risks if the external package is compromised.

MEDIUM Increased Attack Surface -10

While the tool appears legitimate for security scanning, the requirement for external binary dependencies increases the overall attack surface and introduces potential supply chain risks.