Is ajstafford/jules-cli safe?
https://github.com/openclaw/skills/tree/main/skills/ajstafford/jules-cli
The jules-cli skill exhibits dangerous behavior during installation, including cloning an entire repository beyond its declared scope and accessing sensitive user credentials. Despite clean prompt injection and code execution scores, the data exfiltration and clone behavior are severe.
Category Scores
Findings (5)
CRITICAL Sensitive File Access Detected 100 ▶
The installation process accessed multiple sensitive user files including SSH private keys, AWS credentials, npmrc, Docker config, and Google Cloud credentials. This constitutes a severe data exfiltration risk as the skill could potentially read and transmit these credentials.
CRITICAL Unauthorized Repository Cloning 100 ▶
The installation process cloned the entire openclaw/skills monorepo to /tmp/monorepo-clone and then copied only the jules-cli skill to the target directory. This indicates a trojanized delivery mechanism where the skill pretends to be simple but actually downloads much more code than declared.
HIGH Suspicious Network Connections During Installation 75 ▶
During installation, connections were established to multiple external domains including 140.82.114.4 (GitHub), 91.189.91.49 (Ubuntu archive), and 34.233.6.177 (Amazon AWS). These connections occurred during the unauthorized repo cloning process.
MEDIUM Extensive File System Reconnaissance 50 ▶
The installation process conducted comprehensive file system reconnaissance by accessing /etc/passwd, /etc/shadow, and numerous system configuration files. This information gathering behavior is typical of malware assessing the environment for further exploitation.
MEDIUM Privilege Escalation Through Remote Session Creation 50 ▶
While the skill requires user approval for creating remote sessions, once approved, it could potentially execute code in a remote VM environment with broader access than the local sandbox. The jules CLI tool itself represents an attack vector.