Is ilya-ryzhov/strapi safe?

https://github.com/openclaw/skills/tree/main/skills/ilya-ryzhov/strapi

87
SAFE

The ilya-ryzhov/strapi skill is a legitimate Strapi CMS management tool with clean code, no malicious install scripts, no prompt injection attempts, and confirmed canary file integrity. However, two architectural features present significant operational risks when the skill is active: the files upload command accepts arbitrary local filesystem paths (enabling credential exfiltration if the agent is manipulated via CMS content), and the schema domain exposes irreversible destructive operations with no confirmation gate. These are inherent design risks, not malicious behavior.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

HIGH Arbitrary local file path accepted by files upload command -15

The files upload command accepts any local filesystem path as the source argument with no path restriction, allowlist, or confirmation requirement. An agent manipulated via adversarial content in the CMS (indirect prompt injection) could be instructed to upload files like ~/.ssh/id_rsa or ~/.aws/credentials to the Strapi media library, exfiltrating them to whoever controls the Strapi instance.

HIGH Irreversible schema deletion commands with no confirmation gate -15

The schema domain exposes delete-type and delete-component commands that permanently destroy database schema and all associated data. The instructions note 'Strapi will restart after changes' but provide no confirmation mechanism. A confused or manipulated agent could issue these commands against production content types, causing permanent data loss.

MEDIUM Raw fetch domain allows unrestricted Strapi API access -7

The fetch command accepts an arbitrary HTTP method and path, making requests to any endpoint on the configured Strapi server. This allows the agent to access admin-only or internal Strapi endpoints beyond what the structured handlers expose, and could be used to probe internal services if STRAPI_BASE_URL points to an internal host.

MEDIUM User authentication endpoints enable account takeover and enumeration -20

The users domain exposes forgot-password (sends reset email) and reset-password (applies token) without requiring the API token, operating on public endpoints. These could be used by a manipulated agent to trigger password reset emails for arbitrary user accounts or to enumerate valid email addresses via error responses.

LOW Overly broad skill trigger phrase risks unintended activation -7

The SKILL.md 'Use when' clause lists an extremely broad set of trigger terms including generic terms like 'REST API', 'login', 'register', 'permissions', 'authentication', and 'creating/updating/deleting CMS content'. This may cause the skill to activate in contexts where a user is asking about non-Strapi systems, unnecessarily expanding the attack surface.

INFO Install fetches from GitHub with clean post-install state 0

The install script cloned the openclaw/skills repository over HTTPS to GitHub (140.82.121.4:443), performed a sparse checkout of the skill subpath, and cleaned up the temp directory. No persistent network connections remain after install. This is expected behavior.