Is abdelsfane/opena2a-security safe?

https://github.com/openclaw/skills/tree/main/skills/abdelsfane/opena2a-security

44
DANGEROUS

This skill masquerades as a security hardening tool while itself embodying the supply-chain attack pattern it claims to detect: it instructs the LLM agent to download and execute an unpinned, unaudited npm package ('npx hackmyagent') against the user's most sensitive credential files, while falsely declaring network: [] in its permission manifest to suppress security warnings. The install-time behavior was clean (standard git clone), but the skill's runtime design creates an uncontrolled code execution and credential exfiltration surface on every invocation. Post-installation credential file reads were detected in auditd records but cannot be definitively attributed.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 30/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 65/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (8)

CRITICAL Unpinned npx execution of unvetted third-party package -55

Every scan command in the skill uses 'npx hackmyagent' without specifying a version, integrity hash, or lockfile. npx downloads and executes the current latest release from the npm registry on each invocation. The package publisher can push a malicious update at any time and all users of this skill will silently execute it on their next scan. The package has no independent security audit, no code signing, and no reproducible build.

CRITICAL Falsely declares network: [] while requiring outbound npm access -40

The SKILL.md frontmatter explicitly lists 'network: []', signalling to the host platform that the skill requires no network access. This is false: npx must reach registry.npmjs.org to download hackmyagent on every invocation. The false declaration is designed to suppress network-permission warnings during skill review and installation, causing operators to grant it without understanding its true network footprint.

HIGH Skill instructs scanning of credential files outside declared filesystem scope -45

The declared filesystem permission is '~/.openclaw' only. However the skill's credential audit section explicitly directs the agent to check ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json, and GCP application default credentials — all outside the declared scope. The downloaded hackmyagent binary, executing with user-level permissions, can read these files and exfiltrate them over the network.

HIGH Security-tool-as-vector: documents the exact attacks it enables -50

The skill's own check table documents SKILL-003 ('Data exfiltration to external endpoints') and SC-001 ('npm install without --ignore-scripts') as malicious patterns it detects in other skills — while itself executing an unpinned npx command that can exfiltrate data to external endpoints. This self-referential contradiction is a strong indicator of intentional obfuscation: the security framing provides cover for the exact attack surface the tool creates.

HIGH Credential files read post-installation with unidentified responsible process -30

Auditd PATH syscall records show all six canary credential files (/home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and accessed at audit events 1409-1414, timestamp 1771937205 — approximately 17 seconds after skill installation completed. The EXECVE log coverage ends before these events, making it impossible to positively attribute them to the audit harness teardown. Exfiltration via a pre-scheduled or async mechanism cannot be ruled out.

MEDIUM No version pinning or integrity verification for npm dependency -25

The skill references hackmyagent by name only with no pinned version, no npm lockfile, no SHA hash, and no signature requirement. This violates the skill's own SC-002 check ('Unpinned or pre-release dependencies') and SC-003 ('Missing skill signing or hash verification'). Even if the current package is benign, permanent supply-chain exposure exists.

MEDIUM Misleading 'no API keys required' and 'entirely local' safety claims -20

The skill's marketing text asserts 'This skill runs entirely locally. No data leaves your machine. No API keys required.' These claims are used to lower the user's guard. In reality the skill executes a remote npm package that can make arbitrary outbound connections, and the agent tool it relies on (npx) must reach the internet to function.

LOW Anomalous output format 'asp' alongside legitimate formats -10

The skill documents output formats as 'text, json, sarif, html, asp'. The first four are standard security report formats (SARIF is the OASIS standard for static analysis results). 'asp' (Active Server Pages) is not a security report format and has no meaning in this context. Its inclusion is unexplained and could represent an alias for an exfiltration channel or simply be a false-legitimacy token.