Is ai-humanizer safe?

https://clawhub.ai/brandonwise/ai-humanizer

72
CAUTION

The ai-humanizer skill is a legitimate text analysis tool that detects and rewrites AI-generated writing patterns. It poses no direct security threat — no data exfiltration, no hidden code execution, no malicious payloads. However, its design philosophy of permanently modifying agent output behavior (especially in 'Always-on mode') constitutes soft prompt injection, and the sensitive file accesses observed during installation (likely from the OpenClaw runtime) are concerning despite no outbound network activity.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (9)

MEDIUM Persistent persona override via Always-on mode -20

The skill explicitly instructs users to embed its rules into agent system prompts for permanent behavioral modification. This makes the agent always filter its output through humanizer rules, which is a form of persistent prompt injection — albeit user-initiated.

MEDIUM Agent persona manipulation -10

SKILL.md assigns the agent a persona ('You are a writing editor') and instructs it to have opinions, react to facts, and add personality. This overrides the agent's default behavior and could conflict with system-level instructions.

LOW CLI pipe instructions could redirect agent output -8

The skill instructs agents to pipe text through shell commands for analysis, scoring, and auto-fixing. An agent following these instructions would execute node processes with user content.

LOW CLI accepts arbitrary file paths -15

The analyzer CLI accepts -f flags with file paths, meaning an agent following skill instructions could read and process any file the agent has access to. No exfiltration mechanism exists, but file contents would be loaded into agent context.

MEDIUM Shell scripts execute node with user-supplied arguments -20

scripts/analyze.sh and scripts/humanize.sh pass user-supplied arguments directly to node via $@. While properly quoted and using set -euo pipefail, this still means the skill expects agents to run arbitrary shell commands.

LOW DevDependencies include build tools -15

Package includes vitest, eslint, and prettier as devDependencies. These are standard development tools but expand the attack surface if npm install is run.

HIGH Sensitive file access during install -45

During installation, the monitoring detected reads of .env, .aws/credentials, auth-profiles.json, SSH host keys, and PAM configuration. While likely caused by the OpenClaw runtime rather than the skill itself, these accesses occurred within the install window and represent exposure of sensitive credentials to the process environment.

MEDIUM Output manipulation could suppress security warnings -25

If active alongside security or monitoring skills, the humanizer could rewrite urgent warnings to sound casual. Words like 'crucial', 'critical', and 'paramount' are in the ban list, which are exactly the words security tools use to convey severity.

LOW Skill functions as advertised with no hidden behavior -15

Code review of all source files, tests, and documentation shows the skill does what it claims: detects AI writing patterns and suggests rewrites. No hidden functionality, obfuscated code, or backdoors were found.