Oathe Security Badge

Is elithrar/web-perf safe?

https://github.com/openclaw/skills/tree/main/skills/elithrar/web-perf

93
SAFE

The elithrar/web-perf skill is a well-constructed, purpose-specific web performance auditing tool that contains no prompt injection, no hidden exfiltration logic, and no malicious code. The installation was clean, adding only the two expected files with no side effects. The primary residual risks are supply-chain in nature: the skill recommends an unpinned npx @latest MCP server install, and its Phase 5 codebase analysis reads build config files that may contain embedded secrets.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (4)

LOW Unpinned npx @latest MCP server recommendation -7

The skill recommends configuring a Chrome DevTools MCP server via 'npx -y chrome-devtools-mcp@latest'. The combination of -y (skip confirmation) and @latest (no version pin) means any user who follows this advice is downloading and executing whatever version of that npm package exists at install time. A compromised package version would execute with the user's permissions and have access to the browser automation surface the MCP exposes.

LOW Phase 5 codebase analysis reads build config files that may contain secrets -5

Phase 5 of the skill workflow instructs the agent to locate and read webpack, vite, rollup, esbuild, parcel, Next.js, Nuxt, SvelteKit, and Astro configuration files, plus package.json. Build config files occasionally embed API endpoints, registry credentials, or environment-variable references. This is within scope for a web performance audit but represents a broader file access footprint than strictly necessary.

INFO Network request inspection could surface authentication tokens -3

The skill uses list_network_requests and get_network_request to enumerate and inspect HTTP traffic. Response data from get_network_request may include Authorization headers, cookie values, or bearer tokens captured during the performance trace. If the audit output is logged or forwarded, this data could be incidentally exfiltrated. The skill does not instruct the agent to extract or transmit this data, but an attacker composing tasks could exploit this.

INFO Installation is clean — two files only, no side effects 0

The clone process wrote exactly the expected two files. The connection diff shows no persistent outbound connections, no new listeners, and no unexpected processes remaining after installation. All activity was attributable to standard git and SSH infrastructure.