Is daniel-laszlo/enzoldhazam safe?

https://github.com/openclaw/skills/tree/main/skills/daniel-laszlo/enzoldhazam

85
SAFE

The enzoldhazam skill is a focused, well-scoped thermostat controller for the NGBS iCON Smart Home system with a clean SKILL.md that contains no prompt injection, no hidden directives, and an explicit user-confirmation requirement before executing temperature changes. No malicious behavior was detected during install — network activity was limited to GitHub, canary files were not exfiltrated, and the skill package contains no executable code or install-time hooks. The primary residual risk is indirect: the SKILL.md guides users to build and install a third-party Go binary with sudo privileges, and that binary's runtime behavior (credential handling, API communication with enzoldhazam.hu) cannot be fully audited from the skill package alone.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

MEDIUM Third-party binary install with sudo privileges -28

The SKILL.md setup section instructs users (and by extension an agent assisting with setup) to clone a separate GitHub repository, build a Go binary, and install it system-wide via 'sudo mv enzoldhazam /usr/local/bin/'. The runtime behavior of this binary — including what files it reads, what it sends to enzoldhazam.hu, and whether it reads environment variables — cannot be audited from the skill package alone. The skill package only contains library source files under internal/; the cmd/ entry point is not present.

LOW Credential exposure via plaintext environment variables -18

The skill recommends storing thermostat credentials in ENZOLDHAZAM_USER and ENZOLDHAZAM_PASS environment variables as an alternative to macOS Keychain. On systems where an agent has shell access, these environment variables are readable by any subprocess, co-resident skill, or process listing tool. This is a credential hygiene concern rather than a direct exfiltration vector in the skill itself.

LOW Dependency on third-party service for physical device control -20

The binary authenticates and communicates with enzoldhazam.hu to control physical thermostats. If this service were compromised or the domain were taken over, a malicious actor could intercept credentials or manipulate commands. All thermostat control flows through this external endpoint, and there is no documented certificate pinning or request signing in the visible source.

INFO Canary file reads attributed to monitoring framework, not skill code 0

Filesystem access events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials being opened at 08:12:53 (audit timestamp 1771920773.838), which predates the git clone operation (1771920779.349). A second access batch appears at 1771920792.583 post-install. Both correspond to the Oathe monitoring system's canary initialization and integrity verification phases. Canary Integrity check confirms no exfiltration occurred.

INFO Clean install with only expected GitHub network activity 0

The sparse git clone connected only to GitHub (140.82.121.3:443), with DNS resolution proceeding normally. No connections to unexpected hosts, no firewall-blocked attempts to attacker infrastructure, and no new persistent network listeners were introduced after install.