Is dandysuper/openclaw-kirocli-coding-agent safe?

https://github.com/openclaw/skills/tree/main/skills/dandysuper/openclaw-kirocli-coding-agent

79
CAUTION

This skill is a legitimate AI coding agent orchestrator for OpenClaw with no malicious content in its SKILL.md. Its primary risk profile is not deception but privilege amplification: it normalizes running sub-agents (Codex, Kiro, Claude Code) in modes that disable all sandboxing and approvals (--yolo, --trust-all-tools), and it exposes MCP server installation which creates persistent arbitrary-command execution. Clone behavior was clean, canary files were not modified, and canary reads in monitoring are attributable to the audit framework's own integrity checks.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (10)

HIGH Promotes --yolo mode: zero sandbox, zero approvals for Codex sub-agent -18

SKILL.md explicitly instructs the agent to use 'codex --yolo' and 'codex exec --full-auto', documented in the skill itself as 'NO sandbox, NO approvals (fastest, most dangerous)'. Any task routed through this skill that invokes Codex in yolo mode gives that process unrestricted access to the host filesystem and network with no human review.

HIGH Skill serves as a high-privilege execution primitive if combined with prompt injection -20

The skill orchestrates background PTY processes running AI agents in unrestricted modes. If any other loaded skill or user input contains prompt injection, the injected instructions can be relayed to a --yolo Codex or --trust-all-tools Kiro session that will execute arbitrary commands without confirmation. The skill itself becomes the execution layer for a chained attack.

MEDIUM MCP server installation creates persistent arbitrary-command execution -12

The skill teaches 'kiro-cli mcp add --name my-server --command "node server.js" --scope workspace|global'. A global-scope MCP server runs a user-supplied command on every Kiro session. If an attacker can influence the command argument (via prompt injection or a malicious prompt), they can install a persistent backdoor process under the user account.

MEDIUM elevated:true bash parameter bypasses sandbox -10

The Bash tool parameter table documents 'elevated: boolean — Run on host instead of sandbox (if allowed)'. The skill exposes this parameter to users and includes it in its documentation, normalizing its use. Tasks relayed with elevated:true execute with host-level privileges rather than in any isolation layer.

MEDIUM openclaw gateway wake --text field usable as short exfiltration channel -13

The skill instructs agents to append 'openclaw gateway wake --text "Done: [summary]" --mode now' to sub-agent prompts. The text field is under the sub-agent's control. A compromised sub-agent or injected prompt could exfiltrate short secrets (API keys, tokens, first lines of credential files) through this notification channel.

MEDIUM --yolo and --trust-all-tools sub-agents have unrestricted credential access -15

When the orchestrating agent spawns Codex in --yolo mode or Kiro with --trust-all-tools, the sub-agent process inherits the full filesystem access of the parent. It can read ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, etc. without any confirmation prompt. The skill normalizes this pattern for 'automation'.

LOW Internal system topology leaked in skill rules -8

The skill's rules section explicitly names two sensitive internal directories: '/clawd/' (described as containing 'soul docs' related to org structure) and '/Projects/openclaw/' (the live OpenClaw installation). This reduces attacker reconnaissance cost if they can read the system prompt.

LOW Canary files READ (not modified) at install time and post-install -5

Inotify and auditd PATH records show all six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at 05:10:26 (pre-clone) and again at 1771909857 (post-install). Pattern and timing are consistent with the audit framework's own canary baseline and integrity verification steps, not with skill-initiated access. Canary integrity check confirms files were not modified.

INFO pnpm install in worktree examples executes npm lifecycle hooks -7

The parallel issue-fixing example includes 'pnpm install && codex --yolo ...' after checking out external branches. npm/pnpm install scripts (preinstall, postinstall) execute arbitrary code from potentially untrusted packages in those repos.

INFO No hidden content, encoding tricks, or instruction override attempts 0

Full review of SKILL.md found no invisible unicode characters, zero-width spaces, HTML comments, base64-encoded instructions, or attempts to override the agent's system prompt or ignore prior instructions. The skill content is straightforward operational documentation.