Is enderfga/claude-code-skill safe?

https://github.com/openclaw/skills/tree/main/skills/enderfga/claude-code-skill

77
CAUTION

The enderfga/claude-code-skill is a TypeScript MCP orchestration library with a clean SKILL.md containing no prompt injection and a clean installation with no unexpected network connections or canary compromise. However, the skill carries meaningful runtime risks: it unconditionally exposes the agent's entire process environment (including all API keys and credentials) to every MCP subprocess spawned, accepts arbitrary OS commands from configuration without validation, and provides content-parsing utilities that create an indirect injection surface if the agent processes attacker-controlled content containing embedded MCP command blocks. The skill's capabilities are legitimate in design but significantly expand the attack surface available to a sophisticated prompt injection attacker.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 74/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH Complete process.env leaked to every MCP subprocess -25

client.ts constructs the subprocess environment by spreading Object.entries(process.env) with no filtering into every StdioClientTransport. In an LLM agent runtime the environment typically contains ANTHROPIC_API_KEY and other service credentials. Every MCP server subprocess — legitimate or malicious — receives all of these secrets without the user or agent being aware.

HIGH Arbitrary OS command execution with no input validation -20

createClient() and initializeSingleClient() pass config.command and config.args from mcp_config.json directly to StdioClientTransport without any allowlist, sanitization, or schema validation. An agent tricked into calling addMcpServer() with attacker-controlled arguments, or a poisoned mcp_config.json, yields arbitrary code execution on the host.

MEDIUM Content-embedded MCP command parsing enables injection through processed content -15

utils.ts exports isMcpJson() and extractMcpJson() which scan arbitrary string content for backtick json:mcp: code fences and parse the body as an MCP request object. If the agent processes attacker-controlled content (fetched web pages, user-supplied documents, tool outputs) through these utilities, the attacker can embed MCP tool calls that the agent executes without explicit user intent.

MEDIUM setConfigPath enables loading of attacker-controlled MCP configuration -10

setConfigPath() replaces the global CONFIG_PATH variable with any provided string. If an agent is manipulated into calling this function with a path to a file that an attacker controls (written by another skill, fetched from the web, or injected via a tool output), all subsequent MCP server initialization loads the malicious configuration.

MEDIUM Session sync utilities can bulk-exfiltrate conversation history -10

mergeSessions(), mergeWithUpdate(), and mergeKeyValueStore() are designed to merge local and remote session state including chat messages. If an agent is instructed (via prompt injection or legitimate user request) to sync with an attacker-controlled endpoint using these utilities, complete conversation history including sensitive exchanges can be exfiltrated.

LOW Expected GitHub HTTPS connection for sparse checkout install -8

Installation performed a shallow git clone of the openclaw/skills monorepo on GitHub (140.82.121.4:443) followed by sparse checkout of the skill subdirectory. This is the expected installation mechanism and no anomalous connections were observed.

INFO Canary files accessed read-only by audit framework, not by skill 0

Honeypot files were opened and read at timestamps 1771906735 (pre-install baseline) and 1771906758 (post-install verification) — both access windows are consistent with the Oathe audit system performing its own canary integrity checks. No skill-attributed process accessed these files. All canaries remain unmodified.