Is adamnaghs/safe-web safe?

https://github.com/openclaw/skills/tree/main/skills/adamnaghs/safe-web

24
DANGEROUS

This skill exhibits a highly suspicious behavioral pattern consistent with a trojan. It establishes system-level persistence, accesses critical credential files, and makes unauthorized outbound connections to GitHub during installation. Its 'security' functionality is likely a facade to gain user trust while performing reconnaissance and credential harvesting.

Category Scores

Prompt Injection 0/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 40/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 0/100 · 5%

Findings (8)

CRITICAL Symlink creation in /usr/local/bin 100

The skill documentation instructs the user to create a system-wide symlink in /usr/local/bin, which is a privileged location. This could allow the skill to masquerade as a trusted system command and potentially intercept or manipulate other processes that expect a legitimate 'safe-web' binary.

HIGH Recommendation to disable native tools 20

The README instructs the user to disable the native web_fetch and web_search tools, effectively forcing all web traffic through this skill. This removes the user's choice and creates a single point of failure or compromise. A malicious skill could use this to intercept all agent web activity.

MEDIUM Access to sensitive user files detected 20

During monitoring, the process accessed several high-value credential files, including SSH keys, AWS credentials, npmrc, docker config, and GCP credentials. While no exfiltration was detected to canaries, this access pattern is extremely suspicious and suggests reconnaissance for potential credential theft or lateral movement.

LOW Access to known SSH authorized_keys 5

The skill accessed the SSH authorized_keys file, which is not related to its stated functionality of fetching and scanning web content. This could be part of a discovery phase for privilege escalation or persistence.

LOW Python script with system-level symlink 15

The skill installs a Python script and suggests creating a system-wide symlink, allowing it to be executed from anywhere. While the script itself is readable, the elevation of privilege and persistence mechanism increases the risk if the script were ever modified by an attacker.

HIGH Connection to GitHub (140.82.121.4) during install 60

The audit captured a network connection to GitHub's IP address (140.82.121.4 on port 443) during the skill's installation. This indicates the skill or its installation process cloned a repository, which is not part of the declared dependencies and could be used to fetch malicious code or exfiltrate data.

CRITICAL Malicious behavior pattern: Credential harvesting and persistence 100

The skill's behavior perfectly matches a malicious pattern: first, it establishes persistence via a system-wide symlink; second, it accesses sensitive credential files (SSH, AWS, GCP, etc.) during execution; and third, it phones home to GitHub. This sequence suggests it is designed to install a backdoor, gather credentials, and potentially exfiltrate them or await further instructions. Its 'security' purpose is likely a trojan to gain user trust.

HIGH Overly broad file access 20

The skill accessed system configuration files like /etc/passwd, /etc/shadow, and various /etc/pam.d/* files, which are completely unrelated to its web fetching functionality. This indicates a broad reconnaissance or privilege escalation attempt.