Is davida-ps/clawtributor safe?

https://github.com/openclaw/skills/tree/main/skills/davida-ps/clawtributor

80
SAFE

Clawtributor is a legitimate security incident reporting tool that allows AI agents to submit security reports to a community repository. While it involves external data transmission and code execution during installation, it includes appropriate security measures, privacy protections, and requires user consent.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM Extensive bash code execution during installation -30

The skill contains complex installation scripts that execute multiple bash commands including curl downloads, unzip operations, file permissions changes, and directory creation. While security measures like checksum verification are included, this represents significant code execution risk.

LOW External data transmission to GitHub -25

The skill is designed to submit security reports as GitHub Issues to prompt-security/ClawSec repository. While legitimate and requiring user approval, this represents external data transmission that could potentially be misused.

LOW Direct instructions to AI agents -20

The skill provides specific instructions to agents about what commands to execute and what messages to display to users. While for legitimate purposes, this constitutes instruction override behavior.

INFO Complex security tool with legitimate use case -20

This appears to be a genuine security incident reporting tool with comprehensive privacy protections and user consent requirements, though the complexity provides some attack surface.