Is bowen31337/create-agent-skills safe?

https://github.com/openclaw/skills/tree/main/skills/bowen31337/create-agent-skills

87
SAFE

The create-agent-skills skill is a legitimate meta-tool for scaffolding new agent skills, containing transparent Python scripts for initialization, validation, and packaging. No prompt injection, data exfiltration code, or malicious network behavior was detected; canary files were untouched and the install left no persistent connections. The primary concerns are the skill's instruction to autonomously execute filesystem-modifying scripts and its meta-nature as a skill-creation framework that could lower the barrier to authoring malicious skills.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW Executable scripts with filesystem write access -20

Three Python scripts (init_skill.py, init_skill.py, package_skill.py) are included and executable. init_skill.py creates directories and files at any user-specified path. package_skill.py zips arbitrary directories. The SKILL.md instructs the agent to run these scripts during normal operation, meaning they will execute in the agent's environment without explicit user awareness.

LOW Meta-skill amplification risk -18

This skill guides agents to author SKILL.md files — which are injected as system-prompt context into future agent sessions. A sophisticated attacker could use this tool as a template to create and distribute malicious skills. The skill itself is clean, but it lowers the barrier to skill-based prompt injection attacks.

LOW package_skill.py can archive arbitrary paths -12

The packaging script accepts any directory path as input and creates a zip archive of its contents. If an agent is instructed (via prompt injection or user error) to package a sensitive directory (e.g., ~/.ssh/), the script would silently bundle it. No input validation or path restriction exists.

INFO Self-referential inconsistency in skill guidelines -8

SKILL.md explicitly instructs skill creators not to include README.md or other auxiliary documentation files, yet this skill itself ships a README.md. This indicates either a guideline violation by the author or intentional inclusion, and may reduce confidence in the author's attention to their own stated standards.

INFO GitHub-only network activity during install 0

The only external network connection during install was to 140.82.121.3:443 (GitHub) for the git clone. The 185.125.188.57:443 connection was present before install and belongs to Canonical/Ubuntu update infrastructure — pre-existing and unrelated to the skill.