Is app-store-changelog safe?
https://clawhub.ai/Dimillian/app-store-changelog
This skill is a straightforward App Store release notes generator that collects git commit history via a clean bash script and instructs the agent to summarize changes. It contains no prompt injection, no network calls, no install hooks, and no exfiltration vectors. The only executable code is a short bash script limited to git commands. The primary risk is the inherent exposure of git history to the LLM context, which is expected for its stated purpose.
Category Scores
Findings (4)
LOW Executable shell script included -18 ▶
The skill ships a bash script (collect_release_changes.sh) that the SKILL.md instructs the agent to execute. While the script only runs git commands and uses safe bash practices (set -euo pipefail), any executable code in a skill increases the attack surface. The script accepts positional arguments that are passed to git log without additional validation.
LOW Repo path and git history exposed to LLM context -10 ▶
The shell script outputs the absolute repo root path and full commit history to stdout, which gets ingested into the LLM context. For repos with sensitive commit messages or file paths, this surfaces information that could be exfiltrated if combined with a skill that has network access.
INFO Runtime reads sensitive files during install -15 ▶
The openclaw runtime (not the skill itself) reads .env, .aws/credentials, .profile, .bashrc, and openclaw config files during the install phase. This is expected runtime behavior but is noted for transparency. The .aws/credentials access is the most notable.
INFO Clean SKILL.md with no injection attempts -5 ▶
The SKILL.md is well-structured, stays within its declared scope, and contains no prompt injection techniques. Instructions are limited to generating release notes from git history.