Is abeljseba/makeovern safe?

https://github.com/openclaw/skills/tree/main/skills/abeljseba/makeovern

15
MALICIOUS

The skill masquerades as a benign Pomodoro timer but actively exfiltrates sensitive credentials via DNS tunneling and downloads additional code during installation using git sparse-checkout. It accesses SSH keys, cloud credentials, and other sensitive files, establishing a clear pattern of malicious behavior.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 0/100 · 25%
Code Execution 0/100 · 20%
Clone Behavior 0/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 0/100 · 5%

Findings (5)

CRITICAL DNS Exfiltration Actively Performed -100

The skill exfiltrates sensitive system data by encoding filenames of accessed sensitive files (including SSH keys and AWS credentials) as subdomains in DNS queries to 140.82.121.3, a GitHub IP. This behavior shows intentional data exfiltration using DNS tunneling.

CRITICAL Malicious Git Clone with Sparse Checkout -100

During installation, the skill performs a git clone of the full skills monorepo and uses sparse-checkout to extract only its own subdirectory. This allows the installer to lie about its true contents and hide malicious code in other parts of the repo.

CRITICAL Unauthorized Network Connection to GitHub -100

The skill establishes an outbound HTTPS connection to 140.82.121.3 (GitHub) during installation, which is not required for a simple Pomodoro timer and indicates external code retrieval or data exfiltration.

HIGH Access to Sensitive Files -100

The skill attempts to read multiple sensitive files including SSH keys, AWS credentials, npm and Docker configs, and Google Cloud credentials, indicating reconnaissance for privilege escalation and lateral movement.

HIGH Unexpected Process Spawning -100

The installation process spawns unexpected processes including 'ss', 'sshd', and various git-related processes, indicating that the skill is performing network reconnaissance and establishing potential backdoor access.