Is grittygrease/safe-encryption-skill safe?

https://github.com/openclaw/skills/tree/main/skills/grittygrease/safe-encryption-skill

41
DANGEROUS

This skill presents multiple DANGEROUS behaviors: it instructs agents to silently download and execute an unsigned binary from a third-party domain using sudo, suppresses all confirmation prompts, automatically harvests SSH private keys from ~/.ssh/ during decrypt operations, and includes a self-propagation mechanism that instructs message recipients to install this skill into their own agent environments. The combination of covert exfiltration channels (GitHub Gist, termbin.com, WebRTC), SSH key auto-discovery, and the github:username encryption feature creates a complete deniable data theft pipeline requiring no prior attacker key exchange. The clone phase itself was clean, but the skill's runtime behavior poses unacceptable risks to credential security and user autonomy.

Category Scores

Prompt Injection 25/100 · 30%
Data Exfiltration 30/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (15)

CRITICAL Self-propagation worm mechanism in 'Posting a Public Message' section -40

The SKILL.md includes a complete workflow for posting 'public messages' that instructs any receiving agent to clone and install this skill into their own ~/.claude/skills/ directory. This is a worm-like spreading mechanism: an attacker posts a specially crafted message, an agent with this skill decrypts it and follows the embedded instructions to propagate the skill to another agent environment, potentially without user awareness.

CRITICAL Auto-download and execute unsigned binary from third-party domain with sudo -35

The skill instructs the agent to automatically download and execute a prebuilt binary from thesafe.dev without user consent, using sudo to install it system-wide. The checksum verification step is explicitly optional and the checksums are hosted on the same domain as the binary, providing no independent trust anchor. A compromised or malicious thesafe.dev could serve arbitrary code with root privileges.

CRITICAL SSH private key auto-discovery scans ~/.ssh/ without user knowledge -30

The SAFE CLI, as instructed by this skill, automatically discovers and converts SSH private keys from ~/.ssh/ during any decrypt operation. Ed25519 keys are silently converted to X25519 and P-256 ECDSA keys are used directly. This means every time the agent runs 'safe decrypt', it reads all unencrypted SSH keys in ~/.ssh/. If the safe binary is malicious or the decrypted content is attacker-controlled, this creates a direct credential theft pathway.

HIGH Instruction to suppress all confirmation prompts -20

The skill explicitly overrides the agent's default safety behavior by instructing it never to ask for confirmation before performing encryption or decryption operations. This removes a critical user oversight layer and allows the skill to process any data without user awareness or approval.

HIGH Silent software installation without user consent -15

The skill instructs the agent to automatically install the safe binary without notifying the user. This is a behavioral override that bypasses normal agent caution around system modifications and software installation.

HIGH Instructions to upload data to public GitHub Gists -20

The skill provides detailed instructions for using GitHub Gist as a transport layer for encrypted data. While the data is encrypted, it is encrypted to a recipient's public key — if the recipient is an attacker (using 'github:attacker-username'), the data is sent directly to them via a public, logged, permanent channel.

HIGH Instructions to pipe data to termbin.com via netcat -25

The skill includes a workflow that pipes encrypted content directly to termbin.com using 'nc termbin.com 9999'. This sends data to a third-party pastebin service over an unencrypted channel (the outer transport), with only the SAFE encryption providing content protection.

HIGH Checksum verification optional with checksums from same untrusted source -15

While the skill provides SHA-256 checksums for the binary downloads, these are explicitly optional ('Optional: verify checksum') and sourced from checksums.txt hosted on thesafe.dev — the same domain serving the binaries. This provides zero independent trust assurance against a compromised server.

HIGH Complete exfiltration pipeline when combined with file access tools -40

If the agent has filesystem access tools, this skill provides a complete, deniable exfiltration pipeline: read sensitive files → encrypt to github:attacker-username (fetched automatically from GitHub) → post to public Gist. The encrypted form provides cover since contents appear as legitimate 'secure communication'. The github:username feature means the attacker never needs to pre-exchange keys.

HIGH Covert agent-to-agent C2 channel established via GitHub Gist -20

The skill establishes a fully documented command-and-control communication pattern between agents using GitHub Gist as persistent message storage. The 'Discovery Methods' section describes polling, webhooks, and RSS feeds for real-time notifications, creating infrastructure for autonomous agent coordination without human oversight.

MEDIUM Browser automation directed to third-party site with detailed ARIA map -10

The skill provides an exhaustive map of ARIA labels and interactive element references for thesafe.dev, enabling the agent to interact with the site programmatically via Playwright/Puppeteer. This directs agent browser activity to a specific third-party domain and could be used to exfiltrate data pasted into the browser interface.

MEDIUM WebRTC transfer routes metadata through thesafe.dev signaling server -10

The 'Send' feature uses WebRTC for peer-to-peer transfer, but requires a thesafe.dev signaling server to establish the connection. Join URLs are generated by thesafe.dev and contain session tokens, meaning connection metadata (who connects to whom, when) is logged by the thesafe.dev operator.

MEDIUM Environment variable access exposes credentials to subprocesses -5

The skill instructs use of 'env:VARNAME' to pass passwords, which reads environment variables. These variables are then visible to the safe binary process and all its children via /proc/*/environ on Linux, and may include sensitive tokens beyond just the intended password variable.

LOW Sparse checkout from monorepo still fetches full git object database -10

The installation clones the full openclaw/skills monorepo with --depth 1 before doing a sparse checkout. This fetches more data than strictly necessary and briefly gives the install process access to the full shallow copy of the monorepo.

INFO Canary file access events observed but attributed to monitoring framework -15

Inotify and auditd recorded OPEN/ACCESS events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at timestamps 1771926810 (pre-clone) and 1771926827 (post-install). No CLOSE_WRITE events were recorded and the canary integrity check confirmed all files intact. Timing analysis places these accesses in the oathe monitoring framework's setup and verification phases, not the skill installation.