Is hilongjw/seede-design safe?

https://github.com/openclaw/skills/tree/main/skills/hilongjw/seede-design

87
SAFE

The hilongjw/seede-design skill is a straightforward Seede AI API wrapper for generating design graphics; it contains no prompt injection, no malicious install-time code, and all canary honeypots remained intact. The primary residual risks are a shell variable injection flaw in seede.sh's JSON construction and a legitimate-but-abusable file upload feature that transmits local file contents to the third-party api.seede.ai endpoint. These are implementation quality issues rather than intentional malice, but they warrant awareness before deployment.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM Unescaped shell variable interpolation in seede.sh JSON construction -22

The create subcommand builds a JSON payload by directly interpolating $NAME and $PROMPT into a double-quoted shell string. Input containing double-quotes, backslashes, backticks, or $(...) subshell syntax can break the JSON structure or, depending on shell parsing context, execute arbitrary commands.

MEDIUM Arbitrary local file upload to third-party API endpoint -22

The upload subcommand of seede.sh reads any file path provided by the caller, determines its MIME type, base64-encodes its contents, and sends the result to https://api.seede.ai/asset. If an agent is prompted to 'upload' a path such as ~/.ssh/id_rsa or ~/.aws/credentials as a design asset, those file contents would be transmitted to Seede AI's servers.

LOW API token referenced in Authorization header without Bearer prefix -5

SKILL.md instructs the agent to set 'Authorization: $SEEDE_API_TOKEN' without the standard 'Bearer' prefix. While this matches the Seede AI API's documented format, it means the raw token value appears literally in headers and may surface in agent tool-call logs, increasing the risk of accidental token exposure.

LOW Third-party API dependency introduces supply-chain trust assumption -18

The skill routes all design generation through api.seede.ai, a service operated by a third party. API responses (including generated HTML via /api/task/:id/html) are consumed by the agent and could contain prompt injection payloads if the Seede AI service were compromised or the project ID were attacker-controlled.

INFO Installation is a clean git sparse-checkout with no side effects 0

The install process performed a shallow sparse-checkout of the specific skill subdirectory from the openclaw/skills monorepo. No processes were spawned beyond git, no files were written outside the skill directory, and all network connections are attributable to GitHub and pre-existing Ubuntu system services.

INFO All honeypot credential files confirmed intact 0

Post-install canary check confirms .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were not modified or exfiltrated. inotify/auditd accesses to these paths during monitoring are attributable to the audit framework's sudo setup and canary verification phase.