Is byron-mckeeby/ephemeral-media-hosting safe?

https://github.com/openclaw/skills/tree/main/skills/byron-mckeeby/ephemeral-media-hosting

84
SAFE

ephemeral-media-hosting is a Japanese-language documentation skill providing bash, nginx, and PHP patterns for a temporary file hosting service. The install was clean — only two expected files landed, with no unexpected network connections or canary modifications. The primary concerns are a SSRF-capable curl invocation in the fetch-image.sh pattern, an unexplained external reference ('太郎書館') at the document's end, and setup scripts that normalize sudo escalation and cron persistence as routine operations.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (9)

MEDIUM Unresolvable external reference injected at document end -20

The final line of SKILL.md references '太郎書館' (Taro Shokan) for 'content moderation and advanced sanitization' with no URL, no author attribution, and no explanation. When this skill is injected into an agent's system prompt, the agent may attempt to locate or fetch this resource via web search or tool calls, pulling in unaudited third-party content mid-session.

MEDIUM curl -L with user-controlled URLs enables SSRF -15

fetch_and_cache_image() accepts a URL, validates only that it begins with http(s)://, then invokes curl -L (follow redirects) with no restriction on target host. An agent acting on user-supplied media URLs could be directed to internal endpoints (e.g., cloud metadata services at 169.254.169.254) or used to probe the internal network.

LOW Source URL and client IP persisted in plaintext metadata -7

Both the bash metadata writer and the PHP upload handler persist source URLs, upload IPs, and file metadata to world-readable locations within the web root. If these logs are accessible externally, they constitute a data aggregation surface.

LOW Cron job installation creates persistent scheduled execution -7

install_cron() appends a crontab entry that runs cleanup-ephemeral-media.sh daily at 02:00. If an agent executes this function, it establishes a persistent system-level scheduled task without explicit user acknowledgment.

LOW Setup scripts require and invoke root-level privileges -5

setup_media_hosting() calls sudo mkdir, sudo chown, and sudo chmod. An agent following these instructions implicitly requires elevated privileges, expanding the blast radius of any subsequent compromise.

LOW Skill installs only two files; no unexpected network activity -5

The install process performed a sparse git checkout from github.com only. No connections to third-party CDNs, package registries, or attacker infrastructure were observed. Post-install connection state is identical to pre-install state.

MEDIUM SSRF via fetch-image.sh if combined with user-controlled input -15

In normal operation the skill is documentation-only; however, if a downstream agent integrates fetch_and_cache_image() and allows user-supplied URLs, the function provides a ready-made SSRF primitive. Combined with the curl redirect-following flag, this can reach internal infrastructure.

LOW Skill normalizes privilege escalation as a routine setup step -15

By presenting sudo usage as standard operating procedure for setup, the skill conditions agents to accept privilege escalation requests without question, which could be exploited by other skills chained in the same session.

INFO Canary file reads attributable to audit framework, not skill 0

All six honeypot files were opened at audit timestamps 1771902761 (pre-install) and 1771902786 (post-install) — a pattern consistent with the audit system's own before/after integrity verification passes. No writes to any canary file were detected.