Is canbirlik/wiz-light-control safe?

https://github.com/openclaw/skills/tree/main/skills/canbirlik/wiz-light-control

89
SAFE

The wiz-light-control skill is a clean, narrowly-scoped IoT controller for Wiz smart bulbs with no prompt injection, data exfiltration logic, or suspicious code. The observed reads on credential honeypot files are confirmed to originate from the audit monitoring infrastructure (all reads predate the install or occur at audit teardown, all carry CLOSE_NOWRITE, and canary integrity passes). The only notable concern is SKILL.md's instruction for the agent to automatically run venv setup and pip install without per-step user approval, which is a minor transparency issue rather than a security threat.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Auto-setup instruction directs agent to run shell commands without per-step approval -8

SKILL.md contains the directive 'The agent should verify if venv exists. If not, run this setup command block automatically'. This instructs the agent to execute a multi-command shell pipeline (venv creation + pip install) without pausing for explicit user confirmation at each step. While the commands are benign and fully disclosed, the 'automatically' framing reduces user oversight and is a minor deviation from best-practice skill design which should prompt users before executing setup.

LOW Canary credential files accessed during monitoring period -13

inotify and auditd logs record OPEN+ACCESS+CLOSE_NOWRITE events on six canonical credential files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at two timestamps: 1771918945 (pre-install, attributed to audit infrastructure setup) and 1771918965 (post-audit, attributed to monitoring teardown integrity check). The CLOSE_NOWRITE flag on all events confirms no data was written or modified. Canary integrity monitoring independently confirms all files are intact. The install itself happens at 1771918950, after the first access batch, ruling out the skill as the source of the initial reads.

LOW Automatic pip install of third-party Python package during setup -18

The auto-setup command installs pywizlight from PyPI without a pinned version or hash verification. While pywizlight is a legitimate, actively maintained library for Wiz bulb control, unpinned pip installs are subject to supply chain risk if the package were ever compromised. No malicious behavior was observed in this install, and requirements.txt specifies only this single dependency.

INFO Sparse monorepo clone with expected GitHub network traffic 0

The installation performed a depth-1, no-checkout clone of the openclaw/skills monorepo, then used git sparse-checkout to extract only the canbirlik/wiz-light-control subdirectory. All network traffic during install was to GitHub (140.82.121.3:443). Pre-existing connections to Canonical/Ubuntu infrastructure (91.189.91.49, 185.125.188.58) are present in the BEFORE snapshot and not attributable to this skill.

INFO Skill controls physical IoT devices; disruption risk limited to local network -12

wiz.py sends UDP commands to a user-specified IP address on the local network via pywizlight. The only realistic abuse scenario is a malicious user invoking disco mode to strobe lights during a meeting or to create a nuisance. The skill cannot be used to exfiltrate data, escalate privileges, or affect systems beyond the local LAN. The bulb IP must be user-supplied, further limiting automated misuse.