Is hypertextassassinrajith/awscli safe?

https://github.com/openclaw/skills/tree/main/skills/hypertextassassinrajith/awscli

79
CAUTION

This skill is a functional (but currently broken due to a CommonJS/ESM mismatch) AWS Lightsail management tool with no detected prompt injection, no malicious code, and no evidence of credential exfiltration via canary monitoring. The primary risks are operational: the skill grants an agent the ability to stop and reboot production infrastructure without confirmation steps, the 'list' action exposes all instance metadata regardless of the ALLOWED_INSTANCES whitelist, and the skill's dependency on AWS credentials broadens the credential exposure surface during normal operation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (7)

HIGH AWS instance stop/reboot available without user confirmation -18

The skill exposes stop and reboot actions that terminate or restart live Lightsail instances. There is no confirmation step in the code. An agent acting on ambiguous user input (e.g., 'clean up unused servers') could inadvertently or maliciously stop production infrastructure.

MEDIUM List action bypasses ALLOWED_INSTANCES whitelist -15

The validateInstance() guard is skipped entirely for the 'list' action. Any agent with this skill loaded can enumerate all Lightsail instances visible to the configured AWS credentials, regardless of the ALLOWED_INSTANCES restriction. Instance names, IPs, and regions are surfaced to the agent's context.

MEDIUM Module type mismatch renders skill non-functional -12

package.json declares 'type': 'commonjs' but index.js uses ES module syntax (import/export). Node.js will throw a SyntaxError at load time. This is a critical quality defect that makes the current published version inoperable, but it is not a security control — a fixed version would be fully functional.

MEDIUM Null dereference if ALLOWED_INSTANCES env var is unset -10

ALLOWED_INSTANCES is assigned via optional chaining (?.split(',')), which returns undefined if the env var is absent. validateInstance() then calls undefined.includes(), throwing a TypeError. This unhandled crash path could cause unexpected agent failures and provides no useful error message.

LOW AWS CLI inherently reads credential files on every invocation -13

Each call to execFile('aws', ...) causes the AWS CLI to read ~/.aws/credentials and ~/.aws/config. While this is intentional and expected behavior for an AWS management skill, it means the skill requires broad credential access as a precondition and expands the file-read surface associated with this skill.

LOW Sensitive credential files read during monitoring window -18

Inotifywait and auditd logs record read-only opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at timestamps 05:00:29 and 05:00:53. Timing (before git clone), read-only access mode (CLOSE_NOWRITE), and sequential inode assignment (272633-272638) strongly indicate these are audit harness canary operations, not skill behavior. However, the pattern cannot be fully excluded from skill influence via environment loading.

INFO Skill amplifies blast radius when combined with credential-reading skills -18

On its own, this skill requires pre-configured AWS credentials and operates within their IAM permissions. However, if a user's agent ecosystem includes any skill that reads environment variables or credential files and this skill is active, an attacker-controlled skill could discover AWS credentials and then invoke this skill to disrupt AWS infrastructure.