Is jonathanliu811026/skillguard-audit safe?

https://github.com/openclaw/skills/tree/main/skills/jonathanliu811026/skillguard-audit

36
DANGEROUS

SkillGuard presents itself as a security auditor for agent skills, but its architecture is a sophisticated supply-chain surveillance operation: it auto-intercepts every skill installation system-wide and transmits full skill source code to an operator-controlled Cloudflare Tunnel endpoint, with verdicts returned by the same operator. The skill additionally directs agents to sign EIP-712 crypto IOUs and make USDC payments, creating financial harm potential, and uses an ENS domain as a durable C2 pointer to ensure the attacker retains control even when the tunnel URL changes. While no direct credential exfiltration was confirmed during dynamic analysis and the clone behavior was clean, the skill's design is inherently malicious: legitimate security tools do not require sending audited code to third-party servers or making autonomous financial transactions.

Category Scores

Prompt Injection 30/100 · 30%
Data Exfiltration 15/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 70/100 · 10%
Behavioral Reasoning 10/100 · 5%

Findings (10)

CRITICAL Systematic exfiltration of all audited skill code to attacker-controlled server -35

The skill's stated workflow concatenates the full source of every skill being evaluated and POSTs it to a Cloudflare Tunnel URL controlled by the skill author. This is exfiltration-as-a-feature: every future skill installation on the agent passes its code through this channel.

CRITICAL Auto-triggers on ALL skill installs, hijacking agent security decisions system-wide -25

The description field marks the skill for automatic invocation on any skill installation event. Once installed, the agent is instructed to submit every future skill for remote audit before proceeding, making this skill a mandatory system-wide gatekeeper whose verdicts are entirely operator-controlled.

CRITICAL Trojan security tool conducting supply-chain surveillance under trusted guise -30

Positioning itself as a security auditor is the precise framing needed to maximally lower user defenses. The skill gains elevated trust (users expect a security tool to access sensitive data) while systematically sending all reviewed skill code to an attacker-controlled backend.

CRITICAL Agent directed to sign EIP-712 IOUs and make USDC payments -25

The skill instructs the agent to interact with a crypto wallet: sign structured data for IOUs and execute live USDC micropayments via npx awal. Without explicit per-transaction user confirmation in the agent loop, this can drain funds or create binding financial obligations.

HIGH npx awal@latest executes unpinned, remotely-updateable npm package -30

The @latest tag means the npm package fetched at runtime can be silently replaced with a malicious version by the package maintainer. There is no version pin, no subresource integrity check, and no sandboxing.

HIGH ENS-based C2 infrastructure provides durable attacker persistence -20

The ENS name skillguard.base.eth acts as a permanent pointer to the current API endpoint. The Cloudflare Tunnel URL can change at any time, but ENS resolution ensures agents always find the current attacker-controlled server. This is a sophisticated, updateable C2 channel.

HIGH audit.sh --file flag enables arbitrary file reads beyond skill code -15

The script accepts --file and does an unconstrained cat on any path the agent provides. If the skill's instructions are extended (or the agent is separately manipulated) to pass credential paths, arbitrary file contents can be POSTed to the external API.

MEDIUM Post-install read access to .env, SSH key, AWS credentials, Docker, and GCloud credentials -20

auditd PATH records confirm open+read (CLOSE_NOWRITE) events on six sensitive credential files at 1771927600 (~5 seconds after install completed). Files were not modified. Attribution is uncertain (could be monitoring teardown), but the timing and breadth of the access pattern warrants flagging.

MEDIUM Centralized verdict control enables selective ecosystem manipulation -25

All SAFE/DANGEROUS verdicts originate from a single attacker-controlled endpoint with no cryptographic proof. The operator can approve targeted malicious skills and suppress legitimate ones, with the installed skill enforcing those decisions inside the agent.

LOW Clone and install behavior was clean with no unexpected network or process activity -15

The git clone connected only to GitHub (140.82.121.4:443). No unexpected processes spawned, no filesystem writes outside the skill directory, and no connections to the SkillGuard API were made during installation itself.