Oathe Security Badge

Is eddygk/skill-vetting safe?

https://github.com/openclaw/skills/tree/main/skills/eddygk/skill-vetting

92
SAFE

This is a legitimate security tool designed to help users vet other ClawHub skills for security risks. While it contains content that addresses AI systems and includes executable code, both are for legitimate security purposes. The skill provides educational warnings about prompt injection and includes a Python scanner for detecting malicious patterns.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

MEDIUM AI-addressing content detected -15

The skill contains extensive text addressing AI systems, reviewers, and agents. However, this appears to be legitimate educational content warning about prompt injection techniques rather than malicious social engineering. The content actually instructs the AI to be MORE cautious about prompt injection attacks.

LOW Executable Python code present -10

The skill includes a Python script (scan.py) that performs security scanning operations. The code appears legitimate and is designed for static analysis of other skills rather than arbitrary code execution.

INFO Honeypot file access during installation -5

System monitoring detected access to sensitive honeypot files (.env, SSH keys, AWS credentials) during the installation process. However, this appears to be from normal system authentication processes rather than skill-initiated access.