Is hochej/confluence-cli safe?
https://github.com/openclaw/skills/tree/main/skills/hochej/confluence-cli
The hochej/confluence-cli skill is a functionally reasonable Confluence CLI wrapper with good security guidance (no token pasting, explicit intent for writes). The primary risk is structural: it instructs the agent to install a third-party binary via an unauthenticated curl|sh pattern from a personal GitHub account (hochej/confcli) with no hash verification or version pinning, creating a supply chain risk that is orthogonal to the skill content itself. No active malicious behavior, prompt injection, or canary exfiltration was detected during this audit run.
Category Scores
Findings (8)
HIGH Unauthenticated curl|sh installer from personal GitHub repo -32 ▶
The skill instructs the agent to run curl -fsSL https://raw.githubusercontent.com/hochej/confcli/main/install.sh | sh. This downloads and executes an arbitrary shell script from a personal GitHub account (hochej) without any cryptographic verification. The script content can be changed at any time by the repo owner or an attacker who compromises the account. The installed binary receives full user-level filesystem and network access.
HIGH No version pinning or integrity verification on install script -10 ▶
While the skill shows VERSION as an optional env var for the binary, the install script URL itself is always fetched from the HEAD of the main branch. There is no checksum, GPG signature, or pinned commit hash for the install script. This means the attack surface changes silently over time.
MEDIUM Installed binary has unrestricted access to user credentials -20 ▶
Once installed via the curl|sh pattern, the confcli binary operates with full user privileges. During normal use it legitimately reads CONFLUENCE_TOKEN/CONFLUENCE_API_TOKEN, but a compromised binary could also silently read ~/.env, ~/.aws/credentials, ~/.ssh/id_rsa, and other credential stores present in the execution environment.
MEDIUM Confluence API token surfaced in skill instructions -12 ▶
The skill explicitly names CONFLUENCE_TOKEN and CONFLUENCE_API_TOKEN as environment variable targets. While the skill correctly instructs the agent never to ask users to paste tokens in conversation, an agent that logs its reasoning or environment context could inadvertently expose these credentials.
MEDIUM Single-maintainer personal GitHub repo creates supply chain risk -25 ▶
The confcli binary is distributed from github.com/hochej/confcli, a personal repository with no organizational backing, verified publisher badge, or reproducible build. This creates a single point of compromise: account takeover, malicious PR merge, or repository deletion/replacement could push a trojanized binary to any agent that runs the install command.
LOW External URL in skill creates dependency on third-party content -10 ▶
The skill references https://id.atlassian.com/manage-profile/security/api-tokens as a legitimate Atlassian URL. While not malicious, the presence of external URLs in skill instructions creates a precedent that could be exploited in a modified version of the skill.
INFO Canary file accesses attributed to audit framework, not skill -7 ▶
File access events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials appear at audit session init (events 371–376, timestamp 1771925210.652) and teardown (events 6880–6885). Timing and event sequence are consistent with the audit platform's own canary scanning routines, not the skill under test.
INFO Post-install connection diff shows audit infrastructure, not skill -18 ▶
The AFTER state in the connection diff shows openclaw-gatewa process with new listeners (127.0.0.1:18793, 18790) and connections to 104.16.1.34 and 3.213.170.18. These are the audit execution environment's own gateway processes, not connections established by the skill or the confcli tool.