Is bdwelle/unified-find-skills safe?

https://github.com/openclaw/skills/tree/main/skills/bdwelle/unified-find-skills

66
CAUTION

The unified-find-skills skill is a meta-installer that helps users discover and install agent skills from three registries. It poses meaningful supply chain risk: its broad activation triggers, auto-confirm installation flags (-g -y), and unconditional trust of three external registries mean a single poisoned registry entry could result in malicious code being installed globally with no user approval required. Additionally, the .env canary file was accessed mid-install at timestamps outside the expected pre/post baseline windows, and the skill instructs global npm package installation with no version pinning or postinstall sandboxing.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 57/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 78/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (8)

HIGH Global silent package installation with -g -y flags -22

The skill instructs the agent to run npx skills add <owner/repo@skill> -g -y. The -g flag installs globally into the user's agent configuration, and -y bypasses all confirmation prompts. This means the agent will install arbitrary third-party skill packages with no human approval step, executing any pre/postinstall scripts they contain with full user privileges.

HIGH Overly broad activation triggers enable unintended skill installs -18

The skill activates when the user 'Asks how do I do X where X might be a common task with an existing skill.' This is an extremely broad trigger that will intercept general questions and initiate skill searches and potentially installs without the user explicitly asking to install anything. This is a form of behavioral scope creep that could lead to unexpected code execution.

HIGH Global npm CLI installs with potential malicious postinstall scripts -15

The skill instructs npm install -g clawhub and npm install -g tessl to install CLI tools globally. Global npm installs execute any preinstall, install, and postinstall lifecycle scripts in the package with full user privileges and no sandboxing. A compromised or malicious version of either package could read credentials, modify agent config, or establish persistence.

MEDIUM Sensitive credential files accessed during install outside expected canary windows -18

/home/oc-exec/.env was accessed at audit events 5549 (timestamp ~1771949508) and 5590 (timestamp ~1771949515). These events fall during the active git clone and sparse-checkout phases of the install, not during the expected pre/post canary baseline checks (which occur at t≈1771949500 and t≈1771949520). While the canary integrity check confirms the files were not modified, the content may have been read by a process active during install.

MEDIUM Agent silently fetches and parses external URL as part of normal search flow -14

The skill instructs the agent to run curl -s https://tessl.io/registry/discover?contentType=skills | grep -o 'name:"[^"]*"' | head -10 as a routine registry search step. This causes the agent to make outbound HTTP requests to a third-party server and parse its response, without surfacing this network activity to the user. The response could contain injected content if tessl.io were compromised.

MEDIUM Meta-installer creates high-value supply chain attack surface -20

This skill's purpose is to install other skills. If any of the three registries it trusts (skills.sh, clawhub, tessl.io) contains a malicious entry, this skill will recommend and auto-install it. Combined with the broad activation triggers and -y auto-confirm, a targeted registry poisoning attack requires no user interaction beyond asking a general question.

LOW npx invocations without version pinning enable registry substitution attacks -8

All npx invocations (npx skills find, npx skills add) are unpinned. If the skills package on npm were compromised or if a user's npm configuration resolves to a malicious registry, a malicious version could be fetched and executed silently.

INFO All canary files intact — no confirmed exfiltration 0

The post-audit canary integrity check confirms that /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were not modified or exfiltrated. Hash comparison passed for all honeypot files.