Is adainthelab/skulk-skill-scanner safe?

https://github.com/openclaw/skills/tree/main/skills/adainthelab/skulk-skill-scanner

88
SAFE

Skulk Skill Scanner is a static analysis tool for OpenClaw skills written in clean, dependency-free Node.js. The SKILL.md contains no prompt injection, the code makes no outbound network requests, the GitHub clone was clean, and all canary honeypots passed integrity checks. The primary concerns are architectural rather than malicious: the scanner reads arbitrary file paths (including .json files that may contain credentials if run on the wrong directory), its output includes raw file content that could carry second-order prompt injection from scanned skills, and two domains of unclear provenance (skulk.ai, moltbook.com) are hardcoded as trusted in the network allowlist. The credential file reads observed in monitoring appear attributable to the audit framework's canary lifecycle, not the skill itself.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

MEDIUM Second-order prompt injection via scanner findings output -4

scanner.js reads file contents and emits up to 120 characters of matched line content in its findings array. If the scanner is run against a skill whose source code contains LLM prompt injection payloads (e.g., hidden instructions in JS comments or markdown), those payloads would appear verbatim in the scanner's JSON or text output, which the hosting agent would then process. The scanner has no output sanitization or neutralization of potentially hostile content.

MEDIUM Arbitrary-path file reader — .json credential files in scope -15

scanner.js performs a recursive directory walk on any path provided as its first argument. Files matching .json are opened and their full contents are scanned with regex patterns. Sensitive JSON files — Docker config, GCloud application default credentials, package-lock.json tokens, VS Code settings with API keys — would be read and any matches would be included in output surfaced to the agent. The .env and .pem file types are not in the extension list, providing partial but incomplete protection.

LOW Credential files accessed read-only during audit monitoring window -7

inotify and auditd records show OPEN+ACCESS+CLOSE_NOWRITE on six credential honeypot files at two timestamp clusters: 1771652897.244-255 (before git clone, sequences 250-255) and 1771652918.431-432 (after post-install scan, sequences 1409-1414). scanner.js extension filter would not read these files. Canary integrity check is ✅. Assessment: reads attributable to audit framework canary lifecycle (placement at monitoring start, verification at monitoring end) rather than skill activity. Reported for completeness.

LOW Executable script self-excluded from default scan -7

The scanner unconditionally skips scripts/scanner.js from analysis unless the --include-self flag is passed. This is documented behavior to reduce noise, but it means the scanner does not apply its own malice-detection rules to itself in the default configuration. A compromised scanner update would not be caught by a naive clawhub inspect run.

LOW Proprietary domains hardcoded in SAFE_DOMAINS network allowlist -10

skulk.ai and moltbook.com are included in SAFE_DOMAINS alongside well-established services. The scanner uses this list to suppress network-access findings for URLs on allowlisted domains. Any future revision of the skill that makes outbound requests to these domains — for telemetry, update checks, or exfiltration — would not be flagged by the scanner itself. Users editing their own scanner copy may not notice these inclusions.

LOW Scanner output exposes filesystem structure and tool inventory -15

The scanner reports which files exist in a scanned directory, enabling reconnaissance of installed tooling, CI configuration, and project layout. While this is intrinsic to a file scanner, if the skill is used with overly broad path arguments, the files[] array in JSON output reveals directory structure.

INFO GitHub HTTPS clone — expected and clean 0

Installation used git sparse-checkout to clone only the skulk-skill-scanner subtree from the openclaw/skills monorepo. Single external connection to 140.82.121.3:443 (GitHub). No unexpected DNS lookups or additional IP destinations. Filesystem changes limited to the target install directory.

INFO No npm dependencies — stdlib only 0

No package.json present, no node_modules directory, no preinstall/postinstall hooks possible. scanner.js requires only 'fs' and 'path' from the Node.js standard library.