Is frmoretto/hs safe?
https://github.com/openclaw/skills/tree/main/skills/frmoretto/hs
The HardStop skill (v1.5) presents a genuine security paradox: it is designed to prevent dangerous AI actions but its v1.5 INVOCATION INSTRUCTIONS section embeds a prompt injection directive that causes the LLM to execute an external Python script (hs_cmd.py) not included in the skill repository. The skill also explicitly teaches the LLM how to bypass all of its own protections via /hs skip and /hs off, normalizing safety circumvention as a standard workflow. The installation itself was clean with no malicious behavior during clone, and canary files were not exfiltrated, but the skill document itself is the threat vector.
Category Scores
Findings (8)
HIGH Skill document instructs unconditional Python execution -20 ▶
The INVOCATION INSTRUCTIONS section (added in v1.5) is a prompt injection attack surface embedded in SKILL.md. When the skill is activated with any recognized argument, the LLM is instructed to run 'python ~/.claude/plugins/hs/commands/hs_cmd.py
HIGH Execution of unverifiable external script via skill document -30 ▶
The skill instructs the LLM to execute ~/.claude/plugins/hs/commands/hs_cmd.py, a file that is not present in the skill repository and cannot be audited at install time. Any file placed at that path by any means (malicious plugin, supply chain attack on the Hardstop plugin, or direct filesystem compromise) will be executed by the LLM whenever the hs skill is invoked with arguments.
HIGH Self-defeating bypass workflow normalizes circumventing safety checks -15 ▶
Section 'WHEN COMMANDS ARE BLOCKED' explicitly teaches the LLM to offer users a bypass of the safety hook and then execute the previously blocked command. The LLM is instructed to run '/hs skip' (which executes hs_cmd.py) and retry. This converts the safety skill into a bypass-teaching mechanism, and a social engineering attack only needs to convince the user once.
MEDIUM 'off'/'disable' command completely disables all safety checking -8 ▶
The skill accepts 'off' and 'disable' as valid invocation arguments, which run hs_cmd.py off. This disables all protections including the Read Tool Protection for credential files. A co-installed malicious skill could invoke '/hs off' to clear protections before executing data-exfiltration steps.
MEDIUM Safety theater: protection and bypass sold as a bundle -20 ▶
The skill presents itself as a safety guardrail while simultaneously embedding mechanisms to bypass every protection it claims to provide. The v1.5 changelog explicitly frames the code-execution injection as a 'fix' rather than a new attack surface. Users installing this skill may believe they have meaningful protection while having introduced a prompt-to-code-execution pathway.
MEDIUM Bypass mechanism circumvents Read Tool Protection for credentials -10 ▶
Section 9 (Read Tool Protection) blocks reading of .ssh, .aws, .env, .kube, .docker and other credential files. However, the /hs skip mechanism and 'off' command can disable this protection. The bypass is presented as a user-friendly feature, reducing friction around the most sensitive files.
LOW Extremely broad activation scope increases attack surface -10 ▶
The skill description instructs 'ACTIVATE THIS SKILL FOR ANY SHELL COMMAND OR FILE READ' — this is one of the broadest possible scopes. Every shell operation invokes this skill, meaning its prompt-injection vectors (particularly the Python execution instruction) are triggered constantly during normal use.
INFO Canary files opened post-install but confirmed intact -3 ▶
Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened approximately 5 seconds after install completed (1771958262.035). Timing and access pattern is consistent with the Oathe audit system's post-install canary integrity verification, not skill-initiated access. The Canary Integrity report confirms all files intact.