Is jacqueslauren/tech-security-audit safe?

https://github.com/openclaw/skills/tree/main/skills/jacqueslauren/tech-security-audit

63
CAUTION

The tech-security-audit skill ships functional nmap scanning code with an unsanitized target parameter and an undisclosed dependency on a second skill. During the audit window, all six monitored credential files were swept twice in rapid batch—once before and once after installation—and 'ip neigh show' executed 2 seconds after the skill files were copied, enumerating local network hosts without any installation-related justification. While honeypot file integrity was maintained (no confirmed exfiltration), the credential access pattern and post-install network reconnaissance are anomalous behaviors inconsistent with a legitimate security scanning tool installation.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 75/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (6)

HIGH Dual batch sweep of all six credential canary files -33

Every monitored credential file type was accessed in rapid batch twice during the audit window—once at session start (1771907972) and once ~5 seconds after skill installation completed (1771907995). While honeypot content integrity was maintained, the pattern is consistent with credential discovery and enumeration behavior.

HIGH Network host enumeration executed 2 seconds post-install -30

The command 'ip neigh show' executed approximately 2 seconds after the skill's files were copied into place. This reveals the ARP neighbor table—all hosts currently reachable on the local subnet—and has no plausible installation-related purpose.

HIGH Active nmap vulnerability scanner accessible to agent with any target -35

The skill's core function is an unrestricted nmap wrapper. When active in an agent with tool access, any user prompt involving security checking, port scanning, or network auditing will invoke nmap --script vuln against the specified target. Results include CVE IDs and service versions as structured data the agent could act on.

MEDIUM Undeclared second skill dependency in .clawhub/lock.json -15

The skill directory contains a .clawhub/lock.json that lists '[email protected]' as installed. This dependency is not disclosed in any user-facing documentation and could trigger automatic installation of a second unreviewed skill in compatible runtimes.

MEDIUM Unsanitized nmap target parameter allows argument injection -20

The target parameter in run_nmap_scan is inserted directly into the nmap command list. Nmap accepts a rich argument syntax in target position (e.g., --exclude, -iL, --script-args) that could be exploited if the agent passes user-controlled strings without sanitization.

LOW Credential files accessed multiple times despite no declared read need -25

The skill installation process has no documented reason to read user credential files. The repeated batch accesses to .env, SSH keys, AWS credentials, npm tokens, Docker config, and GCP credentials suggest probing or cataloguing of available secrets, even though content was not exfiltrated.