Is bmdhodl/aws-infra safe?

https://github.com/openclaw/skills/tree/main/skills/bmdhodl/aws-infra

91
SAFE

The bmdhodl/aws-infra skill is a clean, well-structured AWS CLI helper with no prompt injection, no malicious code, and no exfiltration mechanisms. The skill contains explicit and appropriate safety rules requiring read-only defaults and confirmation gates before any write or destructive operation. The canary file accesses detected during monitoring are consistent with the Oathe audit framework's own periodic integrity checks and were confirmed intact by the honeypot system.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW AWS credentials loaded into agent context by design -8

The skill instructs the agent to resolve AWS_PROFILE, AWS_REGION, and ~/.aws/config as its first action, then immediately call aws sts get-caller-identity. This surfaces account ID, ARN, and credential metadata into the LLM's active context window. While this is the intended and disclosed behavior of an AWS CLI skill, it means any prompt injection in a later message could potentially extract this information.

INFO Install clones full monorepo with sparse checkout -5

The install script clones the entire openclaw/skills monorepo (depth=1) before sparse-checking out only the target skill. This means the GitHub API receives a request for the full repository. The clone is then deleted. No security concern, but wider network footprint than a direct file download.

INFO Canary files accessed post-install — consistent with audit framework pattern -7

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at timestamps both before and after skill installation. Both access clusters match the audit framework's own monitoring cadence (periodic integrity verification), not activity initiated by the installed skill files. The monitoring system itself confirmed all canaries intact.

INFO Lock file references unrelated skill -2

The .clawhub/lock.json file references 'academic-research-hub' version 0.1.0 — a different, unrelated skill. This appears to be a metadata artifact from the publisher's development environment that was accidentally committed. It has no execution implications.

INFO Skill surfaces AWS resource topology into LLM context -5

By design, the skill instructs the agent to enumerate EC2 instances, IAM users, S3 buckets, security groups, and other infrastructure details. This information enters the LLM's context and could be referenced in subsequent turns. This is the intended functionality, not an attack, but users should be aware that infrastructure metadata will be visible in conversation context.