Is felmonon/skillsign safe?

https://github.com/openclaw/skills/tree/main/skills/felmonon/skillsign

92
SAFE

skillsign is a legitimate ed25519 cryptographic signing and verification tool for AI agent skill folders. The SKILL.md contains no prompt injection attempts, all Python source code is clean with no network calls or malicious patterns, the install only contacted GitHub as expected, and all canary honeypot files remained intact and unmodified. The primary concerns are dual-use risks inherent to trust management tools operating inside an agent context: the 'trust' subcommand has a social engineering attack surface when agent-active, and the tool generates persistent private key material on disk that warrants awareness.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

MEDIUM Trust Command Social Engineering Vector When Agent-Active -20

When skillsign is loaded into an agent's system prompt, a malicious user or prompt injection in another skill could instruct the agent to run 'skillsign trust <attacker-controlled-key.pub>'. This permanently adds the attacker's public key to ~/.skillsign/trusted/, causing all future skills signed by the attacker to display as [TRUSTED]. This creates a persistent trust escalation that survives skill removal.

LOW Sign Command Can Cryptographically Legitimize Malicious Content -8

A socially-engineered or compromised agent holding a private key could be instructed to run 'skillsign sign ', embedding a cryptographic signature that users and other agents may trust. This is dual-use risk inherent to any signing tool, but is worth noting given the agent-first deployment model.

LOW Persistent Private Key Material Written to Home Directory -8

The keygen command writes ed25519 private keys to ~/.skillsign/keys/.pem with 0600 permissions. While this is cryptographically appropriate key management, it creates persistent sensitive credential material on disk. If this host is later compromised, attackers gain signing capability under the user's identity.

LOW Version Inconsistency Across Skill Files -10

The _meta.json registry entry reports version 1.1.0, but SKILL.md frontmatter, setup.py, and cmd_sign all report 1.0.0. Only cmd_revoke references v1.1.0 internally, suggesting the revocation feature was added in an update without fully propagating the version string. This is a code hygiene concern that slightly undermines provenance transparency.

INFO Sensitive File Accesses Are Audit Framework Canary Lifecycle, Not Skill Activity 0

The inotify and auditd logs show access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. All accesses predate skill installation (timestamp 1771909125 vs git clone start at 1771909130) or occur during post-install canary verification (1771909142). All are marked CLOSE_NOWRITE (read-only). No skillsign.py code paths touch these files. Canary integrity confirmed intact.