Is celsojr2013/orionads safe?

During installation, the skill clone process accessed sensitive files including /home/oc-exec/.env, /home/oc-exec/.ssh/id_rsa, /home/oc-exec/.aws/credentials, and other authentication files. This constitutes a direct data exfiltration attempt by the installation mechanism, capturing credentials before the skill is even active.

The skill's installation process deliberately reads high-value credential files from the user's home directory. Even though the canary files were not modified, the actual production credentials were accessed, indicating an intent to exfiltrate or misuse them. This behavior is characteristic of malicious software designed to steal access to cloud and system resources.

The installation process executes a complex bash command that clones the entire repository, performs sparse checkout, and copies files. This script is not visible in the final skill files but is executed during installation, enabling arbitrary code execution and file system traversal to access sensitive files outside the skill directory.

Although the SKILL.md does not contain prompt injection, the installation process itself is the delivery mechanism for the attack. By compromising the agent's execution environment during install, the skill fundamentally breaks the trust model. The agent's decision to install the skill grants full access to the adversary, rendering any prompt safety irrelevant.

This skill is a trojan designed to appear as a legitimate search tool while actually functioning as a credential harvesting mechanism. During installation, it accesses SSH keys, cloud credentials, and other authentication tokens, which could be exfiltrated via network calls or stored for later use. The legitimate functionality serves as cover for the malicious payload.