Is higangssh/homeserver safe?

https://github.com/openclaw/skills/tree/main/skills/higangssh/homeserver

79
CAUTION

The homeserver skill is a functionally legitimate homelab management tool (SKILL.md contains no prompt injection, hidden instructions, or exfiltration logic), but it introduces meaningful security risks through its dependency on an unverified third-party binary (homebutler) that is installed system-wide via curl-pipe-tar without checksum verification and subsequently granted SSH access to all configured servers. The homebutler deploy feature provides remote code execution capability across the user's entire server infrastructure by design. Clone behavior was clean and canary files were not compromised.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 77/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (9)

HIGH Unverified binary download via curl-pipe-tar with sudo install -30

The prerequisite installation instructions direct users (and potentially the agent) to download a pre-built binary from github.com/Higangssh/homebutler using curl -fsSL ... | tar xz with no checksum or GPG signature verification, then install it system-wide with sudo mv homebutler /usr/local/bin/. If the GitHub release is compromised or the DNS/CDN is manipulated, an attacker-controlled binary gains root-level system access.

HIGH homebutler deploy performs remote code execution on SSH targets -15

The homebutler deploy --server <name> command downloads the homebutler binary and installs it on remote servers via SSH. This is remote arbitrary code execution by design. If the homebutler binary is compromised, all configured remote servers are also compromised. The --all flag extends this to every server in the configuration simultaneously.

MEDIUM LAN topology and process reconnaissance exposed to conversation -15

The skill instructs the agent to run commands that expose full network topology (homebutler network scan: IP/MAC/hostname of all LAN devices), all open ports with associated PID and process names (homebutler ports), and detailed system metrics. This reconnaissance data appears verbatim in the agent conversation context and could be leaked to third parties or logged.

MEDIUM Docker logs may expose application secrets -8

The homebutler docker logs <name> command retrieves up to 200 lines of container logs. Container logs frequently contain database connection strings, API tokens, and passwords printed during startup or errors. These secrets would be visible in the agent's conversation context.

MEDIUM Third-party binary holds SSH credentials to all configured servers -15

The homebutler binary is installed with SSH access to every server in the configuration file. If the binary contains malicious code or is later updated with a compromised version, it can access all configured servers, exfiltrate data via established SSH channels, and pivot across the homelab network. The binary is a single point of compromise for the user's entire server infrastructure.

LOW SSH passwords stored in plaintext config normalized by skill -7

The skill's example configuration documents storing SSH passwords in plaintext YAML (password: "secret"). While the skill mentions key-based auth as 'default, recommended', normalizing password storage in config files teaches poor security hygiene and creates credential exposure risk.

LOW Deploy command extends scope beyond monitoring to remote installation -12

The skill's primary description is monitoring (CPU/RAM/disk, docker, ports, alerts) but the deploy command enables remote software installation. A user asking 'manage my servers' may not anticipate the agent having authority to install software on remote machines. This scope extension is documented but not prominently flagged.

INFO Clone behavior nominal — GitHub and Ubuntu infrastructure only 0

The installation cloned from github.com/openclaw/skills.git (140.82.112.4). All observed network connections during clone are to GitHub, Ubuntu package infrastructure (91.189.91.48, 185.125.188.54), and Cloudflare. No unexpected outbound connections were initiated by the skill installation.

INFO Canary file accesses traced to audit monitoring system 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud creds) were accessed but all accesses are attributable to the oathe audit infrastructure. Pre-install accesses (timestamp 1771940134) predate the git clone (1771940139). The synchronized post-install access of all 6 files at 1771940153.570 matches the pattern of a bulk integrity sweep. Canary integrity check confirms no exfiltration.