Is beanapologist/goldenseed safe?

https://github.com/openclaw/skills/tree/main/skills/beanapologist/goldenseed

77
CAUTION

GoldenSeed is a deterministic PRNG skill that presents a plausible use case (reproducible testing and procedural generation) with no prompt injection or direct data exfiltration attempts in its skill files. However, the skill's primary risk is supply-chain: it depends entirely on an unversioned, unaudited external PyPI package ('golden-seed') that exposes a module under a different name ('gq') with a class name ('UniversalQKD') that borrows from quantum cryptography terminology despite explicit non-crypto disclaimers. The install-time monitoring found no malicious behavior, canary files are intact, and network traffic matches expected destinations, but the runtime behavior of the external package cannot be assessed from the evidence provided.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (9)

HIGH Unversioned pip install with module name mismatch -20

install.sh runs 'pip install golden-seed' with no pinned version. The SKILL.md code imports 'from gq import UniversalQKD', but 'gq' is not the name of the installed package. This mismatch means the gq module may come from a different PyPI package entirely, or the golden-seed package installs a module named gq. Either way, the code that actually executes during runtime is not auditable from the skill files alone. Without version pinning, a future compromise of the golden-seed PyPI package would be silently picked up.

MEDIUM Cryptographic terminology used for non-cryptographic library -15

The class UniversalQKD references Quantum Key Distribution, a quantum-cryptographic protocol, yet the skill explicitly states the library is not cryptographically secure. An LLM agent reasoning about appropriate use could be confused by this naming into misapplying the library. Conversely, a user who knows QKD is a secure protocol may mistrust the warnings and use it for security tokens.

MEDIUM pip install executes unreviewed remote code at install time -15

Running 'pip install golden-seed' fetches and executes arbitrary Python from PyPI. setup.py, pyproject.toml build hooks, or postinstall scripts in the golden-seed package are not included in the skill repository and cannot be audited from the evidence provided. The monitored install did not show obvious malicious behavior, but pip installs are a common supply-chain vector.

MEDIUM Unauditable runtime behavior via external pip package -15

The actual logic of UniversalQKD is entirely inside the external golden-seed/gq package. If that package is updated maliciously or is already malicious, it could read environment variables, SSH keys, or API credentials from the agent's environment at Python import time or during method calls. The install-time monitoring window does not cover runtime use.

LOW False 'zero dependencies' claim -10

README explicitly states 'Zero dependencies — Pure Python, works anywhere' but the skill requires a pip install to function. This factual inaccuracy undermines trust in the skill author's accuracy and could cause an agent to assume the library is available without installation.

LOW Version mismatch between _meta.json and SKILL.md -10

_meta.json reports latest version 1.1.0 with a commit hash, but SKILL.md frontmatter declares version 1.0.0. This discrepancy means the audited skill files may not correspond to the version users would actually install, creating a gap between what was analyzed and what is deployed.

LOW Unverifiable statistical guarantees could mislead agent reasoning -10

SKILL.md makes strong claims about statistical quality ('Perfect 50/50 coin flip', 'passes standard randomness tests', 'no detectable patterns') with no supporting source code or test suite in the repository. An agent following this skill might assert these guarantees to users without being able to verify them.

INFO Network activity consistent with expected operations 0

Observed connections to GitHub (140.82.112.4), Canonical Ubuntu mirrors (91.189.91.48, 185.125.188.54), and PyPI/Fastly CDN (151.101.x.x) are all attributable to git clone and pip install. The Mozilla DNS query is attributable to the GNOME desktop session, not the skill.

INFO Canary file accesses are audit-framework activity 0

Multiple read accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials appear at the start and end of the monitoring session. These correspond to the audit framework's own pre/post integrity hash checks and are not attributable to the skill.