Is homecity/snipit safe?

https://github.com/openclaw/skills/tree/main/skills/homecity/snipit

74
CAUTION

The homecity/snipit skill is a legitimate code snippet sharing wrapper for snipit.sh with no direct prompt injection techniques, no malicious clone-time behavior, and intact canary files. However, the skill's design purpose is fundamentally to transmit arbitrary user content to a third-party external service, and its examples explicitly normalize uploading .env files and 'secrets' to snipit.sh — creating a significant data exfiltration risk in any agentic context where the LLM has file access and follows the skill's demonstrated patterns. The primary threat is not malicious code but rather an agent faithfully executing the skill's documented examples on sensitive files.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 42/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 42/100 · 5%

Findings (6)

HIGH Skill explicitly teaches agent to upload .env files to external service -35

The SKILL.md common patterns section includes a literal example of uploading a .env file to snipit.sh with a password. This normalizes the pattern for any LLM agent that ingests this skill, making it likely the agent will replicate this behavior when asked to 'share' or 'send' project configuration. The .env file typically contains API keys, database credentials, and other secrets.

HIGH Skill description includes 'secrets' as a first-class upload target -23

The skill's metadata description explicitly lists 'secrets' as content to share via snipit.sh: 'Use when sharing code, configs, logs, diffs, or secrets with password protection'. This frames exfiltration of secrets to a third-party service as the intended, normal use of this skill, which will influence agent behavior in ambiguous contexts.

MEDIUM All data transmissions route through uncontrolled third-party infrastructure -35

The snipit.sh service is external infrastructure outside the user's control. Even with AES-256 encryption claims, the service operator has access to all uploaded content. A compromise of snipit.sh or a malicious operator would silently intercept code, logs, configs, and secrets uploaded by agents using this skill.

MEDIUM Requires installation of unaudited third-party npm package with network capabilities -22

The install metadata specifies 'npm install -g snipit-sh' as the installation method. This global npm package gains the ability to make network connections and read files. The package's security posture, supply chain integrity, and postinstall scripts were not independently audited in this review.

LOW Canary file accesses occur during GNOME session startup, not attributable to skill -8

Audit logs show .env, .ssh/id_rsa, and credential file path accesses during the monitoring window. These are attributable to the audit harness canary initialization (timestamp ~1771949309), GNOME session environment loading (~1771949320), and post-install canary integrity checks (~1771949327). No accesses correlate with the skill installation process itself (which completed at ~1771949322.926).

LOW Skill frames secret-sharing as routine agent behavior -13

While no classic prompt injection was found, the skill's framing of secrets, .env files, and credentials as normal upload targets subtly conditions any agent running this skill to treat third-party data transmission as acceptable. In combination with other skills or broad user requests, this normalization increases the attack surface.