Is bvinci1-design/skill-scanner safe?

https://github.com/openclaw/skills/tree/main/skills/bvinci1-design/skill-scanner

79
CAUTION

skill-scanner is a legitimate Python security analysis tool with no prompt injection, active exfiltration code, or malicious behavior observed during installation. The primary structural risk is that the scanner accepts any filesystem path without restriction and reads all files recursively, functioning as a general-purpose file reader when an agent is manipulated into scanning non-skill directories; matched line content (up to 200 chars) is returned verbatim in the report visible to the agent context. Additionally, the tool's authoritative positioning as a security gate may create unwarranted trust in other skills that receive APPROVED verdicts, given its detection is limited to 11 hardcoded regex patterns that miss modern evasion techniques.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 58/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 83/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (8)

HIGH Unrestricted Filesystem Path Scanning — Universal File Reader Primitive -25

skill_scanner.py accepts any filesystem path via its CLI argument and recursively reads every file via file_path.read_text(). There is no path validation, sandboxing, or restriction to skill directories. An agent manipulated into invoking the scanner against ~, /, or /etc would silently read the entire subtree. Matched content (up to 200 chars per line) is included verbatim in the findings report returned to the agent context, meaning partial content of sensitive files containing credential-referencing strings would appear in output visible to any subsequent skill with network access.

MEDIUM Credential-Referencing Line Content Exposed Verbatim in Scan Reports -12

The credential_paths detection pattern fires on any line containing ~/.ssh, ~/.aws, ~/.config, /etc/passwd, .env, .credentials, or keychain in .py, .sh, .bash, .js, .ts, and .md files. When matched, the line content (up to 200 chars) is included verbatim in findings output. Code or config files that reference credential paths — or credential files whose content incidentally contains these strings — would have sensitive lines extracted into the report and returned to the agent context.

MEDIUM False Security Authority — Incomplete Pattern Detection Creates Misplaced Trust -22

The skill is marketed as a comprehensive security gate for Clawdbot/MCP skills and returns definitive APPROVED/CAUTION/REJECT verdicts. An APPROVED verdict may cause agents and users to skip further scrutiny. The 11-pattern ruleset would miss: base64/hex-encoded payloads, Python compile()/marshal()/bytecode loaders, multi-stage malware that downloads its payload after installation, novel C2 beacon patterns, steganographic embedding, and any evasion technique not matching the exact provided regexes. There is no update or signature-refresh mechanism.

MEDIUM Reconnaissance Primitive When Agent Path Argument Is Controlled -20

If an adversary can influence the path argument passed by an agent to the scanner (via prompt injection in another skill, crafted user input, or a manipulated invocation), the scanner becomes a reconnaissance tool. Directing it at ~ enumerates all files in the home directory, exposes credential-adjacent content in findings, and returns the structured report to the agent context. A follow-on skill or exfiltrating model call could then read that context and extract the discovered paths and partial credential content.

LOW Executable Python Files with Broad Filesystem and Network Surface -20

The skill installs two executable Python scripts that run with the agent process's filesystem privileges. While no malicious patterns were found, the code interacts broadly with the filesystem (rglob, read_text, tempfile, shutil, zipfile) and the Streamlit UI opens a local TCP server on port 8501 when started. These capabilities are appropriate for the stated purpose but expand the attack surface beyond a read-only or sandboxed skill.

LOW Streamlit UI Accepts Arbitrary File Uploads Including ZIP Archives -5

The web UI accepts uploads of .py, .js, .ts, .sh, .bash, .md, .txt, .json, .yaml, .yml, and .zip files. ZIP archives are fully extracted to a temporary directory before scanning. A user socially engineered into uploading their .env, credentials.json, or AWS credentials file for security checking would have those files read in their entirety. The file type filter is enforced only by the Streamlit frontend widget and is not validated server-side.

INFO Clean Installation — No Unexpected Network or Process Activity -17

The install process performed a git sparse-checkout of the skill subdirectory from the openclaw/skills GitHub monorepo. Network activity was limited to the expected GitHub IP. No new persistent listeners appeared post-install. File changes were confined to the designated skill directory. The pre-existing connection to Ubuntu update infrastructure (91.189.91.48:443) was established before the install began and is unrelated.

INFO Credential File Reads Attributed to Audit Monitoring System, Not Skill -8

Inotify and auditd PATH logs record reads of .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. Two access clusters were observed: at 04:31:17 pre-install (audit seq 270-275, timestamp 1771734677.130) and at 04:31:37 post-install (audit seq 1434-1439, timestamp 1771734697.237). The skill code was never executed during the monitoring period — only static file content was analyzed. Both clusters align with oathe baseline hash computation and post-check phases. No outbound network bytes were correlated with either access window in the tcpdump capture.