Is georgi/nodetool safe?

https://github.com/openclaw/skills/tree/main/skills/georgi/nodetool

79
CAUTION

The georgi/nodetool skill is clean documentation for a legitimate open-source AI workflow builder (nodetool-ai/nodetool, AGPL-3.0). The SKILL.md contains no prompt injection, hidden instructions, obfuscated content, or malicious agent directives. However, the skill extensively promotes curl-pipe-bash and irm|iex installation patterns that would cause an agent to download and execute unreviewed remote scripts, and it documents commands that surface API keys and secrets. Canary files remained intact with no confirmed data exfiltration during the install.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 62/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (10)

HIGH curl-pipe-bash remote installation promoted as default -30

SKILL.md presents curl-pipe-bash as the primary recommended installation method, repeated twice in the document. When a user asks an agent 'install nodetool', the agent will follow this documentation and execute an unreviewed shell script downloaded from GitHub at runtime. If the nodetool-ai GitHub repository, the CDN serving raw.githubusercontent.com, or a DNS response is compromised, arbitrary code executes with the user's shell privileges. The install.sh script content is not audited by this skill.

HIGH Windows irm|iex remote PowerShell execution -8

The Windows installation path uses Invoke-Expression on a remotely fetched PowerShell script. This is functionally identical to curl|bash: no code review, no hash verification, full shell execution. The -Yes flag ensures no prompts are shown.

MEDIUM nodetool settings show surfaces secrets to agent context -12

The command is explicitly documented as 'View settings and secrets'. If an agent executes this during troubleshooting or configuration tasks, API keys, tokens, and other secrets would be printed to stdout and captured in the agent's context window, potentially logged or inadvertently shared.

MEDIUM nodetool info reveals full API key inventory -8

The info command output explicitly includes 'API key status' for six AI provider SDKs: OpenAI, Anthropic, Google, HuggingFace, Ollama, and fal-client. An agent running system diagnostics would disclose which credential types are present on the host.

MEDIUM Non-interactive install normalizes confirmation bypass -8

The skill explicitly documents and recommends -y (Linux) and -Yes (Windows) flags, explaining 'All confirmation prompts are skipped automatically — Perfect for CI/CD pipelines or automated setups'. This primes agents to use bypass flags as the preferred automation pattern, suppressing any safety gates in the installer.

MEDIUM Server binds to 0.0.0.0 — all interfaces exposed -15

The documented serve command binds to all network interfaces. An agent starting the server would make the FastAPI backend accessible to any device on the same LAN, not just localhost. Combined with the tool's ability to run arbitrary workflows, this creates a lateral movement surface.

LOW Cloud deployment commands can provision and destroy infrastructure -10

The deploy subcommands (init, add, apply, destroy) manage cloud resources on RunPod, GCP, and Docker. If an agent misinterprets a user intent and runs 'nodetool deploy apply' or 'destroy', it could provision chargeable resources or delete active deployments on the user's cloud accounts.

LOW nodetool sync destination unspecified -5

The sync command description — 'Synchronize database with remote' — does not identify what remote is contacted or what data is transmitted. Depending on configuration, this could upload workflow definitions, model references, or user data to an external service.

INFO Post-install TCP connections attributed to audit gateway -5

Two established connections to AWS IPs (44.214.208.192:443 and 3.217.42.175:443) appeared after install, along with localhost listeners on ports 18790/18793. All are owned by the openclaw-gateway audit process (pid=1088, confirmed via .openclaw-executor/gateway.pid in baseline). No network connections attributable to nodetool were observed.

INFO Credential file reads during audit window are framework scans -5

Auditd PATH records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at two points: pre-install (audit timestamp ~1771935910) and post-install (~1771935933). Both clusters coincide with audit framework operation timing. All canary files confirmed intact with no content modification.