Is security-auditor safe?

https://clawhub.ai/jgarrison929/security-auditor

85
SAFE

This is a legitimate, well-structured security auditing reference skill adapted from a known open-source project (buildwithclaude by Dave Poon, MIT license). It contains no executable code, no exfiltration vectors, no hidden instructions, and no malicious payloads. The only concerns are minor: a persona override typical of specialist skills, normalization of access to sensitive files (standard for security auditors), and sensitive file reads during installation that appear to originate from the runtime environment rather than the skill itself.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (7)

LOW Persona override via role definition -8

The skill sets the agent's role to 'a senior application security engineer', which overrides default agent behavior. This is standard for specialist skills but represents a persona modification that could influence agent behavior in adjacent tasks.

LOW Normalized access to sensitive file patterns -10

The 'Protected File Patterns' section lists sensitive files (.env, auth configs, middleware, package.json) as targets for review. While legitimate for security auditing, this normalizes agent access to these files and could be exploited in multi-skill scenarios.

INFO Example code contains placeholder external domain -2

The CSP example includes 'https://api.example.com' as a connect-src directive. This is a standard placeholder (example.com is IANA-reserved) and poses no exfiltration risk.

INFO Suggested shell commands in dependency security section -5

The skill suggests running 'npm audit', 'npx better-npm-audit audit', and 'npx npm-check-updates -u'. These are common legitimate security commands but are advisory only — not auto-executed.

MEDIUM Sensitive file reads during install (runtime, not skill-originated) -22

During installation, filesystem monitoring detected reads of /home/oc-exec/.env and /home/oc-exec/.aws/credentials. Analysis indicates these are from the openclaw runtime environment initialization (profile loading, credential resolution) rather than skill-initiated actions, as the skill contains no executable code. However, the .aws/credentials read is notable.

INFO CSP example includes unsafe-eval and unsafe-inline -7

The Content-Security-Policy example includes 'unsafe-eval' and 'unsafe-inline' in the script-src directive. While annotated with a comment to 'tighten in production', if an agent blindly copies this configuration, it would weaken CSP protections.

LOW Potential for multi-skill exploitation -15

While benign on its own, this skill normalizes reading security-sensitive files and acting with security-engineer authority. A malicious companion skill could leverage this normalized behavior to justify exfiltrating data the security-auditor skill flagged for 'review'.