Is iizs/openclaw-dooray-hook-skill safe?

https://github.com/openclaw/skills/tree/main/skills/iizs/openclaw-dooray-hook-skill

94
SAFE

The iizs/openclaw-dooray-hook-skill is a legitimate, well-scoped webhook notification skill for Dooray! messenger. No prompt injection, hidden instructions, canary violations, or unexpected network activity were detected. The primary concerns are the optional SSL verification bypass (which uses a CPython private API and disables certificate validation entirely when enabled), and the inherent design property that the skill creates an agent-accessible outbound data channel which could be abused via prompt injection or config hijacking in adversarial scenarios.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (7)

MEDIUM SSL verification bypass via private CPython API -8

The send_dooray.py script uses ssl._create_unverified_context() (a private, underscore-prefixed CPython internal) to implement the optional verify_ssl: false configuration. When enabled, this completely disables TLS certificate validation, making the skill vulnerable to man-in-the-middle attacks that could intercept webhook payloads or redirect requests. The underscore prefix signals this is an implementation detail not intended for direct use.

LOW Webhook URLs are unvalidated credentials read from config -8

The script reads webhook URLs from ~/.openclaw/openclaw.json and uses them without URL scheme validation beyond the troubleshooting note in SKILL.md. If the config is compromised or manipulated by another skill, arbitrary endpoints could receive the agent's notification content. The --list flag masks only the first 40 characters of the URL, which may be insufficient to prevent accidental credential exposure in logs.

LOW Skill creates an agent-accessible outbound data channel -10

While the skill is fully legitimate, it establishes a mechanism by which an AI agent can send arbitrary text to external HTTP endpoints. Combined with prompt injection targeting the agent from other sources, an attacker could craft instructions that cause the agent to 'send a notification' containing sensitive context, conversation history, or file contents. This is a latent risk of any webhook-sending skill, not unique to this implementation.

LOW Combination risk: webhook URL hijacking via config manipulation -8

The skill reads webhook destinations from ~/.openclaw/openclaw.json without runtime integrity verification. A malicious co-installed skill with filesystem write access could modify the 'rooms' map to point to an attacker-controlled server, causing this skill to silently exfiltrate notification content without user awareness.

INFO Natural language triggers may cause unsolicited sends -3

SKILL.md's usage examples use conversational natural language patterns ('Tell the General channel...', 'Send ... to the Alerts room'). An agent with this skill active might interpret conversationally similar user utterances as explicit send commands. This is a minor UX/safety concern rather than a deliberate injection.

INFO Sparse git clone from public monorepo -2

The skill is distributed as a subdirectory of a public GitHub monorepo (github.com/openclaw/skills). The install procedure uses git sparse-checkout to extract only the relevant subdirectory, which is a standard and safe pattern. No supply chain concerns identified.

INFO Executable Python script included -2

The skill bundles scripts/send_dooray.py. This is expected and documented. The script is self-contained, uses only Python standard library, and performs no dynamic code evaluation (no eval, exec, importlib, subprocess, or os.system calls). The code logic is straightforward and auditable.