Is alessandropcostabr/openclaw-skill-debugger safe?

https://github.com/openclaw/skills/tree/main/skills/alessandropcostabr/openclaw-skill-debugger

86
SAFE

The openclaw-skill-debugger is a functionally legitimate debugging utility for OpenClaw AgentSkills with no evidence of prompt injection, hidden malicious instructions, or intentional data exfiltration. Sensitive file accesses observed in monitoring are attributable to the audit framework's pre- and post-install canary scanning, not to any code or instruction within the skill itself. The principal risk is the skill's meta-nature: it systematically reads other skills' source code and platform configuration into the agent context, and its shell scripts accept user-controlled path arguments that could scan unintended directories.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

INFO Sensitive files accessed before and after install -10

Filesystem monitoring recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. The first cluster (audit 1771924095, before git clone at 1771924100) and second cluster (audit 1771924113, post-install) both align with audit framework baseline and canary verification phases respectively. No skill code or SKILL.md instructions could have triggered these accesses. Canary integrity check confirmed no modification or exfiltration.

LOW Shell scripts accept user-controlled path argument -10

check-hardcoded-paths.sh takes its first positional argument as the root scan directory and passes it directly to ripgrep. If an agent were instructed to pass a path like '/' or '/home', the script would scan the entire filesystem for absolute path patterns, potentially surfacing sensitive paths in output returned to the agent context.

LOW Agent instructed to execute bundled shell scripts -10

SKILL.md directs the agent to run 'bash scripts/check-hardcoded-paths.sh ' and (when implemented) 'scripts/verify-dependencies.sh ' as standard workflow steps. While current script content is benign, this pattern couples agent behavior to script content that could be changed in a future version update.

LOW Meta-skill reads other installed skills' source code into agent context -10

The skill's primary function requires the agent to open, read, and reason about source files of other installed skills. This means every debugging session exposes the target skill's complete SKILL.md, scripts, and configuration to the LLM context window, which could leak proprietary skill logic if the agent's context is logged or intercepted.

INFO Meta-skill provides structured environmental reconnaissance capability -25

debug-workflow.md provides a systematic methodology for inspecting OpenClaw configuration ('openclaw config get '), reading gateway logs ('openclaw logs'), listing skill files, and checking PATH dependencies. This is legitimate for debugging, but if this skill were installed in a victim environment, it would give an attacker a ready-made reconnaissance framework to understand the platform layout before a subsequent attack.