Is abyousef739/clawskillshield safe?

https://github.com/openclaw/skills/tree/main/skills/abyousef739/clawskillshield

79
CAUTION

ClawSkillShield is a Python-based static analysis tool for scanning other skills for security risks. While the code contains no network exfiltration or overtly malicious behavior, the quarantine() function provides unrestricted ability to move and delete arbitrary directories, and the SKILL.md actively encourages agents to invoke this destructively without user confirmation. The primary risk is not direct malice but the normalization of autonomous destructive filesystem operations under the guise of security.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

HIGH Unrestricted quarantine function can move/delete arbitrary directories -20

The quarantine() function in skill.py accepts any path, calls shutil.rmtree() on the destination if it exists (silently ignoring errors), then shutil.move() to relocate the directory. There is no path validation, no sandboxing, and no user confirmation. An agent could be instructed to quarantine any directory on the filesystem that the user has write access to, including other installed skills, configuration directories, or project files.

HIGH SKILL.md encourages autonomous destructive agent behavior -15

The SKILL.md Agent API section and quarantine output message explicitly encourage agents to autonomously scan and quarantine skills without user oversight. The phrase 'Safe for agents to auto-trigger on HIGH RISK' and the dual-use design framing normalize autonomous file deletion/movement. This is a soft prompt injection that shifts agent behavior toward unsupervised destructive actions.

MEDIUM Unrestricted directory traversal and file reading -10

scan_local() uses os.walk() to recursively traverse any directory and open() to read all .py, .js, .yaml, .json files found. There are no depth limits, no path restrictions, and no file size limits. If pointed at a large or sensitive directory (e.g., home directory, /etc), it will read all matching files.

MEDIUM Security tool positioning enables trust-based social engineering -15

By presenting itself as a security scanner, the skill gains implicit trust from both users and agents. A malicious actor could publish a modified version that uses this trusted position to exfiltrate data during scans or selectively quarantine protective skills. Even as-is, the tool could be weaponized by instructing an agent to 'scan and quarantine anything risky' against the user's own legitimate code.

MEDIUM File contents exposed through scan reports in agent context -10

When scan_local() detects patterns, it includes snippets of matched content (up to 30 chars) in the report. When an agent processes this report, sensitive content fragments (API key prefixes, credential patterns) become part of the agent's context and could be inadvertently exposed in subsequent responses.

LOW External URL reference in SKILL.md -5

SKILL.md references an external GitHub URL and a contact email. While not actively malicious, external URLs in skill prompts could be used by agents to fetch additional instructions or by future versions to redirect to malicious content.

INFO BOM character in README.md -2

README.md begins with a UTF-8 BOM (byte order mark \uFEFF). While not malicious, this is unusual and could indicate the file was created on a Windows system or potentially used to disguise content from simple text parsers.

INFO Network connections to expected infrastructure only -5

All observed network connections during install correspond to expected infrastructure: GitHub for clone, Canonical/Ubuntu for system updates, and local services. No anomalous connections detected.