Is fianabates1/qlik safe?

https://github.com/openclaw/skills/tree/main/skills/fianabates1/qlik

84
SAFE

The fianabates1/qlik skill is a legitimate Qlik Cloud API integration providing 37 tools for analytics platform management. No malicious behavior was detected: the SKILL.md is clean, no canary files were accessed, install traffic was limited to GitHub, and all API calls target the user's own Qlik tenant. The primary concerns are a systemic pattern of unsanitized shell variable interpolation into Python source code (exploitable via indirect prompt injection from Qlik data), the inclusion of destructive operations (app deletion, automation execution) without confirmation guardrails, and the inherent sensitivity of business intelligence data that surfaces in the agent context.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 76/100 · 5%

Findings (7)

MEDIUM Shell variable interpolation into Python source code -18

Multiple scripts embed shell variables directly into Python code strings passed via python3 -c. If a shell variable contains Python-syntax characters (quotes, newlines, semicolons), the Python AST changes and arbitrary code executes under the user's account. This is exploitable via indirect prompt injection if Qlik data (app names, space names, user names) is used to populate these variables.

MEDIUM Destructive write operations included in skill surface -14

The skill exposes app deletion, automation execution, reload triggering, reload cancellation, and alert triggering. An agent following ambiguous user instructions could invoke these destructively. The SKILL.md decision tree does not include any confirmation-before-action guidance for destructive operations.

LOW Business intelligence data surfaces in agent context -10

qlik-insight.sh returns actual KPI values, row data from hypercubes, and narrative summaries into the agent context. qlik-users-search.sh returns user PII. qlik-license.sh returns license allotment data. This data is available to the agent for subsequent actions including any other installed skills with exfiltration capability.

LOW Inline Python execution without input sanitization -10

All 37 scripts use python3 -c with shell variables embedded in the Python source string. None sanitize inputs before embedding. This is a systemic pattern across the entire skill, not an isolated occurrence.

INFO Install behavior clean — expected GitHub traffic only 0

Clone connected only to github.com (140.82.113.4). Sparse checkout used correctly to extract only the target skill subdirectory. Temp directory cleaned up post-install. No unexpected processes or filesystem writes.

INFO All honeypot files intact 0

Canary file accesses in audit log are attributable to the monitoring framework's baseline and post-install integrity checks, not to skill scripts. No skill script reads or transmits credential files.

INFO SKILL.md is clean — no adversarial instructions 0

The skill prompt contains only legitimate operational guidance: decision trees for tool selection, a reference table of 37 scripts, setup instructions, and workflow examples. No attempts to override system prompt, suppress output, or alter agent behavior beyond the declared Qlik Cloud integration purpose.