Is hajekt2/ua1-validator-agent safe?

https://github.com/openclaw/skills/tree/main/skills/hajekt2/ua1-validator-agent

79
CAUTION

The ua1-validator-agent skill is a focused, well-structured PDF accessibility validator with no prompt injection, no malicious install behavior, and no direct credential-harvesting logic. The primary risk is architectural: the included shell script sends the full contents of any file path provided to an external third-party API (api.ua1.dev) with no client-side type enforcement, and the API base URL is overridable via environment variable, making it a latent exfiltration vector if the agent is manipulated or the environment is compromised. The skill is appropriate for controlled environments where api.ua1.dev is trusted and agents are not exposed to adversarial inputs.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

HIGH Shell script uploads arbitrary files to external API with no type validation -30

The validate_pdf.sh script checks only that the argument is an existing file (if [[ ! -f "$FILE_PATH" ]]) before uploading it to api.ua1.dev. There is no client-side verification that the file is a PDF. An agent manipulated into calling the script with a path like ~/.ssh/id_rsa, ~/.aws/credentials, or .env would silently upload the file to the external API. The SKILL.md workflow instructs agents to 'validate each PDF' but places no constraint on what file paths can be provided.

MEDIUM UA1_API_BASE environment variable allows silent redirection of all file uploads -15

The destination host for file uploads is read from the UA1_API_BASE environment variable with no integrity check or allowed-list. If the execution environment is compromised (e.g., via a malicious .env file, a prior skill that injects env vars, or a supply-chain attack), every file the agent sends for validation would be forwarded to an attacker-controlled server over HTTPS, making exfiltration invisible in cleartext logs.

MEDIUM Skill ships an executable shell script invoked directly by the agent -22

The SKILL.md instructs agents to run 'bash scripts/validate_pdf.sh ', placing an executable shell script into the agent's working environment. While the script's current behavior is benign, it establishes a pattern of agent-executed shell scripts that could be updated via skill version bumps. The script depends on curl and jq being present in PATH, and does not pin versions or verify checksums of those binaries.

LOW Skill creates a persistent external data channel for every file the agent processes -30

By design, every document the agent validates is transmitted in full to api.ua1.dev. Users and operators must trust this third-party service unconditionally. Combined with the lack of file-type enforcement, the skill is architecturally one misconfigured agent instruction away from becoming an unintentional exfiltration channel for sensitive documents.

LOW Installation clones full monorepo over network before sparse-checkout -10

The install process clones the entire openclaw/skills Git monorepo to /tmp/monorepo-clone with --depth 1 and then performs a sparse-checkout to extract only the target skill path. This exposes the install host to any content in the monorepo's working tree during the brief window before the temp directory is removed. The temp directory is cleaned up promptly (rm -rf /tmp/monorepo-clone).

INFO Canary files read during monitoring setup and SSH session establishment — not by skill -10

Accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were observed at two timestamps. The first (1771906486) predates the git clone (1771906491) and is attributable to the oathe sudo/audit setup process (pid 1096). The second (1771906509) follows repeated .ssh/authorized_keys accesses consistent with SSH session handshake by the monitoring framework. No network transfer of canary content was detected.