Is chrisagiddings/gandi-skill safe?

https://github.com/openclaw/skills/tree/main/skills/chrisagiddings/gandi-skill

92
SAFE

The gandi-skill is a well-documented, legitimate Gandi domain registrar integration with no malicious prompt injection, no unauthorized exfiltration, and a clean installation process. All honeypot canaries remained intact and no suspicious processes were spawned during or after installation. The primary risk is inherent to the skill's stated purpose: it bundles powerful destructive scripts (bulk DNS replacement, catch-all email forwarding, domain registration) that could cause serious harm if an agent were social-engineered or jailbroken into invoking them without user intent.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

HIGH Agent with this skill can destroy DNS infrastructure or intercept email -15

The skill's destructive scripts (bulk DNS replace, catch-all email forward, DNS record deletion) give an LLM agent the ability to take down websites, intercept domain email, or trigger domain registrations. While thoroughly documented, these risks are inherent and persist regardless of the skill author's intent.

LOW API token with domain management scope stored locally -5

The skill reads a Gandi PAT from ~/.config/gandi/api_token. This token can have LiveDNS write, Email write, and Domain write scopes. If the token file is compromised via path traversal or other agent manipulation, a full Gandi account takeover is possible.

LOW Large attack surface from bundled JS scripts -5

30+ Node.js scripts are bundled and ready to execute. While none auto-run on install, they expand the attack surface an LLM agent can act on. A manipulated agent could chain read-then-write operations across multiple scripts.

INFO Documentation/package.json dependency mismatch -3

SKILL.md instructs npm install and lists axios as a dependency, but package.json declares empty dependencies. Skill may not be fully functional as documented, but this inconsistency is not a security concern.

INFO Installation process is transparent and auditable 0

The git clone, sparse checkout, copy, and cleanup sequence is clearly visible in auditd logs. No obfuscated installation steps detected.