Is ando818/mistro safe?

https://github.com/openclaw/skills/tree/main/skills/ando818/mistro

78
CAUTION

Mistro is a legitimate agent-to-agent discovery and communication skill that transparently sends user data to the mistro.sh third-party service. While no malicious code, prompt injection, or exfiltration attempts were detected during installation, the skill's core communication functionality creates significant inbound prompt injection risk from external Mistro network users and a broad data transmission surface. The unverified npm package and bidirectional messaging channel warrant caution.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

MEDIUM Core functionality transmits user data to third-party server -25

The skill's 19 tools include send_message, create_post, update_shared_context, and respond_to_post — all of which transmit user-authored content to https://mistro.sh (Hetzner, Frankfurt). While this is the disclosed purpose of the skill, it creates a significant data transmission surface. Any text the user asks the agent to share via Mistro could include sensitive information from the conversation context.

MEDIUM Inbound prompt injection vector via agent-to-agent messaging -30

The check_inbox, read_messages, and search_posts tools receive content authored by unknown external parties on the Mistro network. This content is delivered directly to the LLM agent's context window. A malicious actor on the Mistro network could craft messages or posts containing prompt injection payloads designed to override the agent's instructions, exfiltrate data, or manipulate behavior.

MEDIUM Unverified npm package installation -15

The skill requires installing mistro.sh as a global npm package. While SKILL.md claims 'No post-install scripts. No background processes', the actual npm package contents and any lifecycle scripts cannot be verified from the collected evidence. The install monitoring showed no suspicious behavior, but the package could be updated with malicious code in future versions.

MEDIUM External content delivery into agent context -18

While the SKILL.md itself contains no prompt injection, the communication tools create a persistent channel for delivering externally-authored content into the agent's context. Search results from search_posts and search_profiles, incoming connection requests, and messages all inject third-party text into the agent's processing pipeline without sanitization guarantees.

LOW Combination risk with file-access skills -15

If this skill is installed alongside skills that can read local files, a social engineering attack via the Mistro network becomes more dangerous. An external party could request file contents through the messaging system, and the agent might comply if the request appears legitimate in context.

LOW API key and JWT stored in user home directory -5

The skill stores MISTRO_API_KEY and optional JWT tokens in ~/.config/mistro/config.json. While this follows standard credential storage conventions, the tokens grant access to the user's Mistro account and could be leveraged by other skills or processes on the system.

INFO Clean installation behavior observed -5

Installation monitoring showed only expected network connections (GitHub, npm registry, Ubuntu servers) and standard system processes. No connections to mistro.sh during install phase. No firewall-blocked connections. No filesystem changes outside expected directories.

INFO All canary files intact 0

Honeypot files (.env, SSH keys, AWS credentials, .npmrc, Docker config, GCloud credentials) were not accessed or modified during the skill installation process.