Is cornbrother0x/smart-contract-audit safe?

https://github.com/openclaw/skills/tree/main/skills/cornbrother0x/smart-contract-audit

87
SAFE

The smart-contract-audit skill is a legitimate, well-crafted smart contract security auditing workflow authored by openclaw. The SKILL.md contains no prompt injection attempts, no credential harvesting instructions, and no data exfiltration mechanisms; canary files were untouched by the skill. The primary risk factors are inherent to the skill's function: install-tools.sh downloads security analysis tools (slither, aderyn) via pip/cargo without version pinning (supply chain risk), and the workflow instructs running forge build and forge test on user-supplied contracts (code execution risk from malicious audit targets). These risks exist in the audit use-case context and are not signs of malicious intent, but users should ensure they trust the contracts they submit for auditing.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

MEDIUM Unpinned pip/cargo package installation in install-tools.sh -13

The install script installs slither-analyzer and solc-select via pip3 with no version pins and aderyn via cargo. Unpinned installs are vulnerable to supply chain compromise or dependency confusion attacks. A malicious package version could execute arbitrary code with access to the agent's environment, including any API keys or credentials in scope.

MEDIUM forge test execution on user-supplied Solidity contracts -10

The skill generates Foundry PoC tests and then runs forge test against them, which compiles and executes arbitrary Solidity (and potentially Yul/assembly) provided by the audit target. A malicious audit target project could embed build scripts or Foundry plugins that execute arbitrary code during the test run.

LOW User-supplied audit target cloned and built locally -5

The skill instructs cloning user-specified GitHub repositories as audit targets. Malicious repos could contain postinstall hooks, malicious foundry.toml scripts, or Makefile rules that exfiltrate environment data when forge build or npm install is run as part of the audit setup.

LOW Audited contract content injected into sub-agent prompts without sanitization -5

The full source code of the audit target (including comments and NatSpec) is passed verbatim to 6 specialist sub-agents. Adversarially crafted NatSpec or README content in the audit target could attempt to manipulate sub-agent behavior (e.g., fake finding suppression, false severity downgrades).

INFO Canary credential files accessed only by oathe monitoring infrastructure 0

Filesystem and auditd monitoring shows .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at timestamps before and after clone, consistent with oathe's pre/post canary integrity checks. No skill process accessed these files. Canary integrity report confirms all files intact.