Is dwirx/tulisai safe?

https://github.com/openclaw/skills/tree/main/skills/dwirx/tulisai

89
SAFE

The dwirx/tulisai skill (BangunAI Blog Manager) is a personal blog content management tool targeting a specific React/MDX digital garden. No prompt injection, data exfiltration, or malicious behavior was detected; all canary files remain intact and no unexpected network connections were attributable to the skill. The primary security concerns are code quality issues in embedded bash workflows: unquoted heredocs and shell variables allow expansion of user-controlled content, which could be exploited if an attacker controls the content passed to the update or log workflows.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (6)

MEDIUM Unquoted heredoc allows shell expansion of user content -20

The update_about, update_now, and log workflows use unquoted heredoc delimiters (<<EOF, <<NOWEOF, <<DAILYEOF) and interpolate user-controlled variables ($CONTENT, $CONTENT) inside them. Shell metacharacters such as backticks or $() in user-supplied content would be evaluated by the shell at execution time.

LOW User-controlled $FILE variable in find pattern without sanitization -10

Workflow 5 (read/smart search) passes $FILE directly into a find -name pattern as $FILE.mdx. A value containing shell glob characters or path separators could cause find to search or match unexpected locations, though impact is limited to reading .mdx files.

LOW Skill instructs agent to run arbitrary bash scripts on invocation -8

Each workflow in SKILL.md is a bash script the agent is expected to execute. While the scripts are benign as written, this pattern of embedding executable shell code in a skill increases the agent's tool-use attack surface compared to skills that only provide guidance.

INFO Hardcoded absolute paths limit skill portability 0

All workflows hardcode /home/hades/BangunAI-Blog as the blog root. On any system where this path does not exist, all workflows silently fail or produce errors. This is a design limitation, not a security threat.

INFO openclaw-gateway infrastructure connections present post-install -7

After installation, the openclaw-gateway process (pid=1084) shows two established TCP connections to 34.233.6.177:443 (AWS) and one to 104.16.7.34:443 (Cloudflare). These are consistent with executor/telemetry infrastructure and were not introduced by the skill.

INFO Canary file accesses attributable to monitoring framework 0

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. All six files are accessed at identical microsecond-level timestamps (1771940419.302 and 1771940436.564), confirming these are batch baseline scans by the monitoring framework, not skill activity.