Is juguangyuan520-dotcom/report-generator safe?

https://github.com/openclaw/skills/tree/main/skills/juguangyuan520-dotcom/report-generator

86
SAFE

The report-generator skill is a legitimate Chinese-language business report generator that produces styled HTML from structured JSON input and optionally screenshots it via browser tool. The SKILL.md contains no prompt injection, the install was clean with only expected GitHub network activity, and all canary files remained intact. The primary risks are a path traversal vulnerability in the unsanitized --output argument and potential XSS when the agent renders user-controlled report content in the browser tool; additionally, an unused subprocess import and an accidentally included developer lock file are minor code quality concerns.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

MEDIUM Unsanitized --output path enables arbitrary filesystem write -20

The generate.py script passes the --output argument directly to os.makedirs() and os.path.join() without any path validation or sandboxing. An agent instructed to invoke this skill with attacker-controlled output path (e.g., workspace/../../.ssh/) could write files to sensitive directories outside the intended workspace.

MEDIUM User-controlled HTML content rendered in browser without sanitization -15

The HTML template uses Python str.format(**context) where context values come directly from user-supplied JSON. All text fields (goal, q1_items, summary, etc.) are injected verbatim into the HTML. The SKILL.md instructs the agent to open the resulting file with file:// in the browser tool. If a user supplies script tags or event handlers in report content, these execute in the browser context when the agent screenshots the file.

LOW Unused subprocess import in generate.py -5

The script imports the subprocess module at the top level but never calls it in any active code path. The convert_to_image() function that would logically use it contains only pass. This is either a code cleanup oversight or retained for future use. While not currently exploitable, it signals incomplete code hygiene.

LOW Development environment artifact included in published skill -5

The .clawhub/lock.json file within the skill directory records another skill (academic-research-hub v0.1.0) as installed in the developer's environment at publish time. This file has no runtime effect but was accidentally included, exposing the author's development toolchain and potentially indicating insufficient review before publishing.

INFO Sensitive credential paths accessed — attributed to audit system, not skill 0

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two points. Timestamp analysis places the first batch (1771936791) before GNOME session initialization and before skill install, and the second batch (1771936808) after install completion. These are consistent with oathe's own pre/post canary scanning. No content was modified or exfiltrated.