Is eckmantechllc/flux safe?

https://github.com/openclaw/skills/tree/main/skills/eckmantechllc/flux

87
SAFE

The eckmantechllc/flux skill is a straightforward bash+curl wrapper for a local event-sourced state engine with no prompt injection attempts, no malicious code, and a clean install. The primary concerns are architectural: the FLUX_URL environment variable can redirect all requests including auth tokens to an arbitrary server, the skill documents admin and connector-token endpoints that exceed its stated purpose, and its multi-agent shared-state design inherently creates a state-poisoning attack surface. No credential exfiltration was detected during the monitored install.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (9)

MEDIUM FLUX_URL override exfiltrates tokens and data to arbitrary server -12

The flux.sh script reads FLUX_URL from the environment with no validation. If set to an attacker-controlled endpoint, all curl calls — including those with Authorization: Bearer $FLUX_TOKEN — send auth credentials and all published entity state to that server. The SKILL.md explicitly invites remote-server usage for 'auth-enabled instances'.

MEDIUM Connector token storage enables credential accumulation in Flux state -8

The skill documents POST /api/connectors/:name/token for storing PAT credentials inside Flux. An agent following the skill instructions could store user credentials in a shared, potentially externally accessible Flux instance.

MEDIUM Shared state enables cross-agent data poisoning -15

Flux is explicitly designed for multi-agent shared state. Any agent or authenticated external writer can publish entity properties that all other agents read as canonical state. A compromised agent or external actor could inject false sensor readings, status values, or other state that influences downstream agent decisions.

MEDIUM Admin config endpoint allows Flux runtime modification -13

The admin-config command issues authenticated PUT /api/admin/config requests. If the agent has FLUX_ADMIN_TOKEN set, it could modify Flux runtime parameters (rate limits, etc.) in response to user instructions or injection attempts.

MEDIUM Admin config modification via flux.sh admin-config -8

The skill documents and implements the ability to update Flux runtime configuration. This is a privileged operation that could destabilize shared infrastructure if misused.

LOW Bash script with external HTTP execution surface -10

flux.sh is a bash + curl script that makes outbound HTTP requests. While necessary for the skill's function, it represents an execution surface that the agent will invoke. No install-time auto-execution was detected.

LOW Admin API documentation widens agent's perceived permission scope -7

SKILL.md explicitly documents admin endpoints including rate limit modification and connector token storage, which go beyond the stated skill purpose of publishing events and querying state.

INFO Pre-existing external HTTPS connection unrelated to skill -5

A TCP connection to 185.125.188.58:443 existed before the install and was absent afterward. IP belongs to Ubuntu/Canonical update notification infrastructure. No connection was established during or after the install.

INFO Credential files read by monitoring infrastructure before and after install -5

Six credential files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at audit sequence 264-272 (timestamp 1771929757, ~6 seconds before git clone began) and again at 1452-1457 (timestamp 1771929775, post-install). Timing is consistent with oathe monitoring performing canary baseline and post-install integrity checks. All files confirmed intact.