Is jason-allen-oneal/skill-scanner-guard safe?

The skill's primary function requires cloning https://github.com/cisco-ai-defense/skill-scanner and running CC=gcc uv sync --all-extras, which downloads and compiles arbitrary Python packages including a C extension (yara-python). All subsequent scan operations execute this external code via uv run skill-scanner. No commit hash, tag, or lockfile is pinned by this skill. Any future update to the scanner repo or its transitive Python dependency tree executes silently in the user's agent context on the next scan.

The documented systemd --user path unit triggers auto_scan_user_skills.sh on any filesystem change under ~/.openclaw/skills/. This gives the skill persistent automatic execution rights over all future skill installations beyond the stated on-demand scanning purpose. Combined with the report injection vulnerability, a persistent attacker could monitor skill installs, log skill contents during scanning, or selectively quarantine targeted skills.

auto_scan_user_skills.sh uses awk to parse cisco-ai-defense/skill-scanner's markdown report output and extract directory paths for quarantine. The parser matches Directory: lines adjacent to Max Severity: HIGH. A malicious skill that crafts its file content to inject matching lines into the scan report could cause the quarantine logic to mv a legitimate skill directory — disrupting security operations or removing a competing skill. The only guard is [[ "$d" == "$USER_SKILLS"/* ]], which a path within the skills directory trivially satisfies.

Both scan_and_add_skill.sh and clawhub_scan_install.sh expose a --force flag that installs skills regardless of High/Critical findings, executing cp even when BLOCKED=1. The flag is documented in SKILL.md's usage text. A sophisticated prompt injection attack against the agent, or a user instruction to 'just install it', could cause the agent to invoke --force, rendering the skill's entire security purpose void.

clawhub_scan_install.sh uses npx -y clawhub without any version pin, fetching the latest published npm package on every invocation. A compromised or maliciously updated clawhub package would execute arbitrary code during any ClawHub-sourced skill installation, with full user privileges.

When cisco-ai-defense/skill-scanner performs scan-all, it reads all files in the skills directory and runs with full user network access. The scanned content could include sensitive information embedded in skills. The skill operator has no visibility into what the external scanner does with this data during execution — this is a trust dependency on a third-party Python process.

The skill's security value is only as strong as cisco-ai-defense/skill-scanner at the moment of use. Since it is cloned from HEAD without any version pinning, any upstream compromise, backdoor, or intentional change in detection logic silently undermines every subsequent scan. The user has no way to detect that the scanner's behavior has changed.

clawhub_scan_install.sh creates a per-install staging directory under $WORKSPACE_DIR/.skill_stage/ and intentionally never cleans it up on the success path. Over time this accumulates a complete copy of every ClawHub-installed skill, potentially including proprietary or sensitive skill content, accessible to anyone with filesystem read access.

SKILL.md explicitly lists systemctl as a required binary. This signals that the skill intends to manipulate systemd user units, creating code execution persistence that survives agent restarts. While this matches the documented systemd integration feature, it expands the skill's footprint beyond transient operation.

Each execution of clawhub_scan_install.sh triggers a network download of the clawhub npm package. While scoped to skill install operations, the download happens before any scanning occurs, meaning the network egress cannot be gated by the skill's own security checks.

The install-phase network traffic is limited to GitHub (140.82.121.4:443) for the git clone and Ubuntu/Canonical infrastructure (91.189.91.48:443, 185.125.188.57:443) consistent with system background activity. No unexpected or suspicious destinations were observed. Post-install connection diff is clean.

SKILL.md contains git clone URLs for cisco-ai-defense/skill-scanner as part of setup instructions. These are documentation only and not executable by the agent reading SKILL.md, but they establish a named trust relationship with an external GitHub organization whose content is not reviewed by this audit.

inotifywait and auditd both record OPEN/ACCESS on all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at two timestamps: 1771908524.649 (5+ seconds before git clone started at 1771908530.160) and 1771908548.511 (post-install phase). The pre-clone cluster definitively predates skill installation. The post-install cluster follows the oathe framework's metadata scan pattern in audit ID sequencing. None of the skill's scripts contain logic to read these paths. The ✅ canary integrity confirmation verifies the files were not modified or exfiltrated.