Is bonk-moltbot/toon safe?

https://github.com/openclaw/skills/tree/main/skills/bonk-moltbot/toon

78
CAUTION

The toon skill is a JSON compression utility that poses a CAUTION-level risk primarily due to its architectural design: it instructs agents to unconditionally route all JSON output through an external binary sourced from the unaudited '@toon-format/cli' npm package, creating a persistent supply-chain-dependent data interception channel. No active malice was detected — canary files were intact, clone behavior was clean, and the skill contains no executable code itself — but the install instructions reference a missing scripts/toon file, and the actual runtime behavior depends entirely on an npm package that cannot be audited from this package alone. The risk is low today but structurally non-zero for any agent that handles sensitive API responses or credential-adjacent JSON.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (5)

MEDIUM All-JSON interception design via unaudited npm dependency -28

The skill's core value proposition is to sit in the data path for every JSON operation the agent performs. The actual processing is delegated to '@toon-format/cli' via npx, which is downloaded at runtime and not included in the audited package. If this npm package is ever compromised (typosquatting, supply chain attack, or maintainer key compromise), every API response, credential file read, and JSON document the agent processes would pass through attacker-controlled code.

MEDIUM Referenced install script (scripts/toon) absent from package -32

SKILL.md instructs 'cp scripts/toon ~/.local/bin/' but no scripts/ directory or toon executable exists in the skill package. The only files present are SKILL.md, _meta.json, and .clawhub/lock.json. This means the install step silently fails or the agent is expected to obtain the binary via npx at execution time with no local copy available for inspection.

LOW Overbroad 'Always' usage directives -18

The skill description and body both use 'Always' to instruct the agent to pipe output through toon. While not a traditional prompt injection (no override of system instructions), these unconditional directives aggressively expand the skill's operational scope to every JSON-producing task the agent performs, maximizing attack surface if the underlying binary is malicious.

LOW lock.json references unrelated skill (academic-research-hub) -40

The .clawhub/lock.json bundled with this skill records 'academic-research-hub' as an installed dependency, not 'toon'. This is inconsistent with a cleanly authored skill and suggests the file may have been copied from another environment or is a packaging artifact. It does not pose a direct security risk but indicates low packaging hygiene.

INFO External URL reference in skill documentation -8

SKILL.md includes a 'Reference' link to https://toonformat.dev. An agent following the skill may attempt to fetch this URL for additional context. The domain was not contacted during the monitored install phase.