Oathe Security Badge

Is jonathanliu811026/skillguard-audit safe?

https://clawhub.ai/jonathanliu811026/skillguard-audit

91
SAFE

SkillGuard is a legitimate security auditing tool that analyzes other skills for risks before installation. It properly discloses its external API usage and provides useful security functionality. The main concerns are the transmission of code to an external service and potential for misuse of the --code option with sensitive files.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM External API Data Transmission -15

The skill sends code content to an external API (api.agentsouls.io) for security analysis. While this is disclosed and part of the intended functionality, it represents data transmission to a third-party service.

MEDIUM Arbitrary File Content Transmission Risk -10

The --code option allows auditing of any local file, potentially enabling transmission of sensitive file contents to the external API if misused.

LOW Executable Shell Scripts -10

The skill contains shell scripts that execute system commands including curl and clawhub. While the scripts appear safe and don't contain dangerous patterns, they do execute code.

LOW Security Bypass Option -15

The safe-install.sh script includes a --force option that skips the security audit entirely, potentially allowing installation of malicious skills if misused.