Is jacqueskang/ms-foundry-image-gen safe?

https://github.com/openclaw/skills/tree/main/skills/jacqueskang/ms-foundry-image-gen

87
SAFE

The ms-foundry-image-gen skill is a minimal SKILL.md wrapper around the Azure Foundry image generation REST API with no executable code, no install hooks, no git submodules, and no prompt injection content. The primary risk is a weak FOUNDRY_ENDPOINT validation regex that permits any HTTPS URL (including cloud metadata and internal addresses), meaning the FOUNDRY_API_KEY credential and user prompts could be sent to an unintended server if the environment variable is misconfigured or manipulated. All canary honeypot files remained intact and canary accesses are consistent with the audit framework's own pre/post verification checks.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

MEDIUM Weak FOUNDRY_ENDPOINT validation enables SSRF to any HTTPS target -13

The endpoint validation regex accepts any hostname or IP, including cloud metadata endpoints (169.254.169.254), internal network addresses, and non-Azure services. If an attacker or misconfiguration controls FOUNDRY_ENDPOINT, the skill will POST the FOUNDRY_API_KEY credential and user prompts to an arbitrary server.

MEDIUM SSRF/credential theft risk in combination with env-var writing skills -15

If a co-installed skill can modify environment variables, FOUNDRY_ENDPOINT could be redirected to an attacker-controlled server, causing the FOUNDRY_API_KEY and image prompts to be exfiltrated. This is a compositional risk absent from this skill in isolation.

LOW Primary API credential sent to fully user-configurable endpoint -9

FOUNDRY_API_KEY is always transmitted as a request header to whatever URL FOUNDRY_ENDPOINT resolves to. Credential exposure depends entirely on correct endpoint configuration.

LOW API response written to /tmp may carry injected content into agent context -7

If FOUNDRY_ENDPOINT points to an attacker-controlled server, the response JSON could embed prompt-injection payloads that the agent processes after reading /tmp/generation_result.json.

INFO Clean install via sparse monorepo checkout — no unexpected activity -12

The skill installed via a standard shallow sparse checkout from github.com/openclaw/skills. Only two files were deposited. No unexpected processes, persistent connections, or filesystem changes outside the skill directory were detected.

INFO Canary file accesses attributed to audit framework — no exfiltration -8

Honeypot credential files were opened read-only at two points matching the audit framework's expected pre-install baseline and post-install verification sweep. All files remain unmodified.