Is flyingzl/web-form-automation safe?

https://github.com/openclaw/skills/tree/main/skills/flyingzl/web-form-automation

90
SAFE

This appears to be a legitimate web form automation skill using Playwright for browser automation tasks. The code is well-structured and matches its described functionality for form filling, file uploads, and session management.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Sensitive file access during audit session -15

During the audit session, sensitive canary files (.env, SSH keys, AWS credentials) were accessed by system processes during SSH authentication setup. While not directly caused by the skill, this indicates system-level file access occurred during the installation window.

LOW Web automation could enable misuse -15

While the skill appears legitimate, web automation tools can potentially be misused for credential harvesting, automated attacks, or bypassing security controls if used maliciously.

LOW Shell script execution capabilities -10

The skill includes a shell script (webp-compress.sh) that executes system commands for image processing, though the functionality appears legitimate.