Is djemec/bioskills safe?

https://github.com/openclaw/skills/tree/main/skills/djemec/bioskills

68
CAUTION

bioskills is a meta-skill installer that, when triggered, clones and executes an unaudited shell script (install-openclaw.sh) from the third-party GPTomics/bioSkills GitHub repository, then installs 425 additional skills into the agent's context. The SKILL.md itself contains no prompt injection or hidden directives, and no malicious behavior was observed during the static clone phase. However, the skill functions architecturally as a supply chain delivery mechanism — its security posture is entirely dependent on the trustworthiness of an external, unaudited repository, and mass installation of 425 unvetted skills creates a large secondary attack surface.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 75/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (9)

CRITICAL Executes unaudited remote shell script from external repository -40

install-bioskills.sh clones https://github.com/GPTomics/bioSkills.git and then unconditionally executes install-openclaw.sh from the cloned repository. This script is not bundled with the skill, not reviewed in this audit, and has full shell execution capability in the user's environment. The commit hash check verifies the HEAD revision but does not establish that the code is safe.

HIGH Mass installation of 425 unaudited skills into agent context -20

Successful execution of the install script places 425 additional skills into the agent's skill directory. Each skill is automatically triggered based on task context, meaning hundreds of unaudited system-prompt injections become active. None of these sub-skills are part of this audit.

HIGH Unaudited external script has full access to user credential files -20

The install-openclaw.sh script executed from GPTomics/bioSkills runs with user permissions and can read .env, SSH keys, AWS credentials, .npmrc, Docker config, and GCP credentials. There is no sandbox or capability restriction applied to this script during installation.

MEDIUM All six credential canary files accessed in bulk at same post-install timestamp -25

File access syscalls show OPEN+ACCESS events on all six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) at audit timestamp 1771932399.728, with sequential event IDs 7009–7014. This occurs after skill installation (cp completed at 1771932395.413). Files were not modified. Pattern is consistent with OpenClaw audit framework's canary verification pass, but cannot be definitively excluded from skill-triggered activity since the install script was not executed.

MEDIUM Supply chain attack vector via GPTomics/bioSkills repository -35

This skill's sole function is to clone and execute code from a third-party GitHub repository not operated by the skill author's organization. Any compromise, takeover, or malicious update of GPTomics/bioSkills would silently propagate to every user of this skill. The commit hash pin is an advisory check that must be actively maintained across skill versions.

MEDIUM Silent mass skill installation on routine bioinformatics queries -25

The skill's trigger condition ('Use when a bioinformatics task requires specialized skills not yet installed') means any bioinformatics question could silently trigger installation of 425 external skills without explicit user action. This creates an implicit supply chain pull on normal usage.

LOW Commit hash controlled entirely by skill author; future versions can redirect to malicious commits -15

The EXPECTED_COMMIT value embedded in install-bioskills.sh is set by the skill publisher. A future version update could change this hash to point to a GPTomics/bioSkills commit containing credential-harvesting or exfiltration code in install-openclaw.sh, with no user-visible warning.

LOW Auto-trigger pattern may invoke mass installation without user confirmation -10

The skill is designed to auto-activate when bioinformatics work is detected. Combined with the mass installation behavior, this could result in 425 skills being installed into the agent's context mid-conversation without an explicit install request from the user.

INFO No malicious behavior observed during static audit phase 0

The skill was copied to the audit VM but install-bioskills.sh was not executed. All observed network connections were from the OpenClaw audit framework (GitHub clone of openclaw/skills monorepo). No unexpected processes were spawned. Filesystem changes were limited to the skill directory.