Is akhmittra/skill-security-auditor safe?

analyze-skill.sh is a functional shell script that makes live curl requests to clawhub.ai when invoked with --slug. The script is designed to be made executable and aliased system-wide. While the provided source is non-malicious, any future modification via the documented update mechanism would allow silent replacement of behavior. The script also processes untrusted skill content (full SKILL.md text) through regex patterns, creating a potential injection path.

SKILL.md documents an IOC database update command that fetches from openclaw-security.github.io — a GitHub Pages domain that could be registered by any GitHub user and is not associated with any established security organization. If an agent executes this update, arbitrary JSON is written to ioc-database.json, poisoning all future scans run by this tool.

Auditd PATH records at timestamp 1771649843.429 (events 1437-1442) show ACCESS syscalls against all 6 high-value credential paths immediately after skill installation. The pre-install sweep (1771649826) is attributable to Oathe canary setup, but the post-install sweep at 1771649843 does not have a matching EXECVE record in the provided audit trail. Canary integrity is maintained (CLOSE_NOWRITE events confirm read-only access and no network exfiltration confirmed via honeypot), but the reads occurred.

SKILL.md instructs the agent to append a shell alias to ~/.bashrc and immediately source it. This is a standard persistence mechanism: the alias survives session termination, affects all future interactive shells, and points to an executable the skill controls. If the script is later replaced (via update mechanism), the alias silently executes new code.

analyze-skill.sh extracts .pattern fields from malicious-patterns.json using jq -r and interpolates them directly into grep -iE "$pattern". If the patterns database were poisoned (via the update mechanism), malformed extended regex could cause catastrophic backtracking (ReDoS), or — depending on shell quoting edge cases — potentially influence grep behavior in unintended ways.

By positioning itself as a trusted pre-installation scanner, this skill creates a trust relationship where SAFE verdicts substitute for independent human review. An attacker who reverse-engineers the 20+ detection patterns (all publicly available in malicious-patterns.json) can trivially craft a malicious skill that scores SAFE. The whitelisted safe_domains including clawhub.ai and openclaw.ai could also be abused by an attacker who controls content on those domains.

The openclaw-security.github.io update endpoint creates a persistent attack surface: if that domain is abandoned and re-registered, or the GitHub Pages site is compromised, every agent running this skill's documented update command will install attacker-controlled detection patterns. This could cause malicious skills to be whitelisted (false negatives) or benign skills to be flagged (false positives used for coercion).

The install process made connections exclusively to 140.82.121.4:443 (GitHub's IP). DNS queries resolved only standard infrastructure. No connections to suspicious C2 IPs (notably absent: 91.92.242.30 which the skill's own patterns flag as ClawHavoc C2). Connection state before and after install is identical — no new listeners or persistent network services.

When the scanner is used as intended, it loads full SKILL.md content of other skills into memory and runs pattern matching. A specially crafted SKILL.md could include content that — when pattern-matched and reported — produces output that manipulates the agent's decision-making about subsequent skill installations.

The Oathe honeypot verification confirmed all planted credential files remain unmodified and no exfiltration was confirmed via the canary detection mechanism. Filesystem events show only CLOSE_NOWRITE (read-only) access patterns on credential files.