Is asteinberger/airfoil safe?

https://github.com/openclaw/skills/tree/main/skills/asteinberger/airfoil

92
SAFE

The asteinberger/airfoil skill is a legitimate macOS utility for controlling AirPlay speakers via the Airfoil app using AppleScript. The SKILL.md contains no prompt injection, and the shell script contains no malicious file access, network exfiltration, or backdoor mechanisms. Two minor shell/AppleScript injection vulnerabilities exist due to unvalidated user inputs in the osascript calls, representing code quality issues rather than malicious intent; canary file accesses observed in monitoring are attributable to the audit infrastructure's own baseline scans.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

MEDIUM Unvalidated speaker name interpolated into AppleScript command -12

The $SPEAKER variable in connect, disconnect, and volume commands is interpolated directly into an osascript -e double-quoted string without sanitization. An attacker who can influence the speaker name (e.g., via a rogue Airfoil speaker on the network) could inject arbitrary AppleScript commands.

LOW Unvalidated numeric input passed to bc for volume calculation -6

The $VALUE parameter in the volume command is passed directly to bc via echo without input validation. While bc has limited attack surface, crafted input could cause unexpected arithmetic behavior or shell metacharacter interpretation.

INFO Canary files accessed during audit — attributed to infrastructure 0

Multiple canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at timestamps 1771652517 (pre-clone baseline) and 1771652538 (post-install check). These accesses are consistent with the audit framework's own canary verification routines, not the skill code, which contains no file read operations on these paths.

INFO SKILL.md is clean documentation with no injection content 0

The skill prompt document contains only legitimate how-to documentation for AirPlay speaker control. No hidden instructions, override directives, persona manipulation, or covert URL fetches were detected.