Is enchograph/daily-gushiwen safe?

https://github.com/openclaw/skills/tree/main/skills/enchograph/daily-gushiwen

82
SAFE

This skill is a legitimate Chinese classical poetry aggregator that fetches daily content from gushiwen.cn and formats it for delivery via a messaging agent. The skill package contains only markdown files with no executable code, and the install process was clean with only expected GitHub network connections and no canary file exfiltration. The primary concerns are operational rather than indicative of malicious intent: the skill instructs the agent to use exec+curl (raw shell execution) to fetch and embed third-party web content directly into agent context without sanitization guardrails, creating a secondary prompt injection surface if gushiwen.cn or its image CDN were ever compromised.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Instructs exec+curl for web scraping -20

The skill instructs the agent to use exec+curl (raw shell command execution) as its primary method for fetching HTML from gushiwen.cn, rather than relying exclusively on safer sandboxed tools like tavily_extract. This is the intended platform pattern but meaningfully widens the agent's shell execution surface each time the skill runs.

MEDIUM Fetched HTML embedded in agent context without sanitization guardrails -18

The skill instructs the agent to parse raw HTML from a third-party website and embed the extracted content directly into message output. If gushiwen.cn or its CDN (ziyuan.guwendao.net) is compromised or begins serving adversarial content embedded in poem text or image alt tags, those instructions would be injected into the agent's active context.

LOW Image URLs sourced from CDN via regex extraction -20

The skill extracts image URLs from fetched HTML using a regex pattern and sends them via a media parameter. If the CDN or the fetched HTML is manipulated to supply an attacker-controlled URL, request parameters could encode and leak contextual information when the agent fetches the image.

LOW Pre-existing outbound TLS connection to Canonical infrastructure -8

A TLS connection to 185.125.188.54:443 (Ubuntu/Canonical) existed before and was closed after the clone. This is consistent with normal VM background activity (Ubuntu Pro/update services) and is not attributable to the skill, but is noted for completeness.

INFO Canary files accessed by audit system during initialization and post-install verification -5

Sensitive honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened in read-only mode at two points: during audit initialization (pre-clone) and post-install verification. Both access patterns match the monitoring system's own behavior and no file contents were modified or exfiltrated.

INFO Platform-aware behavior indicates legitimate developer intent 0

The skill contains an explicit condition to suppress image output when running inside QQ, demonstrating the author's awareness of different deployment contexts and concern for appropriate behavior. This is consistent with a developer building a real-world messaging bot rather than a malicious actor.