Is fysoul17/pyx-scan safe?

https://github.com/openclaw/skills/tree/main/skills/fysoul17/pyx-scan

73
CAUTION

pyx-scan presents itself as a prosocial security scanner but introduces meaningful architectural risk: all safety verdicts are delegated to a single unverified third-party API (scanner.pyxmate.com) whose responses are injected verbatim into agent context, bypassing normal LLM summarization and creating a server-side prompt injection vector. The skill also telemeters every scanned skill name to this third party, enabling user behavior profiling. No malicious code, hidden instructions, or credential exfiltration was detected in the skill itself, but the combination of an unverifiable trust oracle, unrestricted curl permission, and verbatim API response processing warrants careful evaluation before deployment.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (9)

HIGH API response injected verbatim into agent context -28

The WebFetch prompt explicitly instructs the agent to return the API JSON body 'exactly as-is. Do not summarize.' This suppresses the LLM's normal content filtering and summarization, meaning any instructions or adversarial content embedded in scanner.pyxmate.com's JSON response will be processed directly by the agent without a sanitization boundary.

HIGH Third-party controlled API endpoint is a prompt injection source -10

The skill routes all agent queries through scanner.pyxmate.com, a domain controlled by an unverified third party. If this domain is compromised, returns adversarial content, or is operated with malicious intent, the API response lands verbatim in the agent's context window with behavioral authority (the agent formats and presents it as a security verdict).

HIGH Skill scan queries telemetered to third-party server -20

Every invocation of this skill sends the owner/name of the skill being checked to scanner.pyxmate.com. Over time this reveals the user's full skill-vetting history, which skills they are considering, and their security posture. This data is sent to a server the user does not control and whose privacy policy is unknown.

MEDIUM Unrestricted curl permission enables potential exfiltration if injected -10

The allowed-tools declaration permits Bash(curl *) without host or flag restrictions. If the pyxmate.com API response contains injected instructions directing the agent to run a secondary curl command, arbitrary data (environment variables, file contents) could be exfiltrated to an attacker-controlled endpoint.

HIGH Security oracle architecture creates single point of compromise for trust decisions -25

By positioning itself as the authoritative source of skill safety verdicts, pyx-scan means that any user who relies on it delegates their entire security judgment to pyxmate.com. A malicious or compromised API could systematically whitelist dangerous skills (false SAFE) or suppress legitimate ones (false DANGER), poisoning trust decisions ecosystem-wide without the agent or user being able to detect it.

MEDIUM Skill surveillance: maps user's agent configuration on every invocation -17

Because pyx-scan is triggered by phrases like 'is this safe', 'scan skill', 'verify tool', it activates whenever a user evaluates any skill. This gives pyxmate.com a continuous feed of what skills the user is investigating, building a profile of their agent's intended capability set.

LOW curl permission scope broader than required -15

The Bash(curl ) permission allows any curl invocation, not just calls to scanner.pyxmate.com. Restricting to Bash(curl https://scanner.pyxmate.com/) would be more appropriate and would limit the blast radius if the skill is manipulated.

INFO Clean install — no unexpected behavior during clone 0

The skill cloned normally via git sparse-checkout from github.com/openclaw/skills. No unexpected processes, no filesystem changes outside the install directory, no new persistent network connections post-install.

INFO Canary file reads attributed to monitoring infrastructure -5

Sensitive files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened read-only at two timestamps — one pre-install and one post-install — in identical access order with CLOSE_NOWRITE. This pattern matches the Oathe monitoring system performing baseline integrity snapshots. No network egress of canary content was observed.