Is bmdhodl/azure-infra safe?

https://github.com/openclaw/skills/tree/main/skills/bmdhodl/azure-infra

91
SAFE

The bmdhodl/azure-infra skill is a straightforward Azure CLI assistant with no malicious content: SKILL.md contains clean, well-intentioned instructions with no prompt injection, the skill ships zero executable code (no scripts, no npm hooks, no git hooks), and the git clone was a normal sparse-checkout from GitHub with no unexpected network destinations. The only notable signals — canary file reads — are attributable to the oathe monitoring framework's own baseline-hashing operations, not to the skill, as confirmed by the pre-clone timing and intact canary file integrity. The skill is safe to install.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Canary credential files accessed during monitoring window -15

inotify and auditd both record OPEN/ACCESS events against .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. Attribution analysis places both access batches at timestamps that predate the git clone (first batch at 1771930336 vs clone start at 1771930341) and at post-install teardown time (1771930353), consistent with the oathe monitoring framework reading canary files to compute baseline and post-install integrity hashes. The skill itself contains no executable code capable of triggering these reads. No corresponding outbound data transfer was observed.

LOW Monorepo sparse-checkout downloads full repo object pack before filtering -7

The install clones the entire openclaw/skills monorepo with --depth 1 --no-checkout, then uses sparse-checkout to extract only the target subpath. This means all shallow objects in the monorepo are downloaded to /tmp/monorepo-clone before the relevant files are copied. While functional and cleaned up afterward, this pattern means the agent executing the install transfers and temporarily stores the full (shallow) monorepo on disk.

INFO Skill provides broad Azure read access including sensitive resource types -15

When active, the skill instructs the agent to query Key Vault listings, RBAC role assignments, and subscription details. These are sensitive operations but are explicitly declared in the skill's description and are read-only by default. A user or attacker who controls the conversation could use this skill to enumerate cloud infrastructure through the agent.

INFO az login --use-device-code instruction introduces user interaction requirement -4

The Quick Start instructs the agent to run az login --use-device-code if not already authenticated. This is a legitimate authentication flow but requires the user to visit a URL and enter a code, which an adversarial user could potentially exploit to redirect the agent to initiate auth flows against attacker-controlled tenants if the agent is not careful about which tenant it authenticates to.