Is atefr/niri-ipc safe?

https://github.com/openclaw/skills/tree/main/skills/atefr/niri-ipc

90
SAFE

atefr/niri-ipc is a legitimate Niri Wayland compositor IPC control skill with clean Python scripts, no prompt injection, no data exfiltration code, and expected installation behavior. The primary risk is its inherently powerful capability surface: spawn-sh enables arbitrary shell execution within the user's desktop session, and window enumeration/event streaming provide persistent desktop surveillance. These capabilities are clearly documented and architecturally necessary for the skill's stated purpose, but represent meaningful attack surface if an agent using this skill is manipulated by adversarial input.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 74/100 · 5%

Findings (6)

MEDIUM spawn-sh enables arbitrary shell execution via Niri compositor -12

The skill exposes niri's spawn-sh IPC action which runs arbitrary shell commands inside the user's Wayland session. The wrapper scripts pass arguments directly to niri msg without sanitization. Additionally, niri_socket.py accepts raw JSON IPC requests, bypassing all wrapper-level argument validation.

MEDIUM Full desktop control surface available to agent -20

The skill gives the agent capabilities to enumerate windows (title surveillance), close windows, switch workspaces, spawn processes, and stream all compositor events. These capabilities are legitimate for the stated purpose but represent a significant attack surface if the agent is manipulated.

LOW Window title enumeration exposes user context -5

Listing all open windows reveals application names and document titles, which may include sensitive filenames, browser tab titles with URLs, or terminal session content without explicit user consent.

LOW Canary files accessed post-install by audit infrastructure -7

Canary files were accessed at the end of the monitoring window. Integrity check confirms no exfiltration. Accesses are attributable to the oathe audit infrastructure performing final integrity verification, not to skill code.

INFO SKILL.md contains no adversarial instructions -3

SKILL.md is clean documentation with no prompt injection patterns, override instructions, hidden content, external URLs to fetch, persona switches, or permission escalation requests.

INFO Install behavior nominal — GitHub sparse clone only -3

Installation contacted only GitHub (140.82.121.4:443), performed a sparse clone of the monorepo, and cleaned up the temporary directory. No new listening ports, no background processes, no unexpected filesystem writes outside the install target.