Is justinburdett/flyio-cli safe?

https://github.com/openclaw/skills/tree/main/skills/justinburdett/flyio-cli

94
SAFE

The justinburdett/flyio-cli skill is a legitimate, well-structured Fly.io CLI assistant with explicit read-only defaults and clearly gated high-risk operations. No prompt injection, hidden instructions, or data exfiltration mechanisms were detected in the skill content, and all canary honeypot files remained intact throughout the audit. The primary residual risks are operational rather than malicious: the skill documents genuinely powerful Fly.io CLI commands (SSH exec, secrets management, Postgres access) that carry inherent danger if an agent misinterprets user intent or is combined with credential-reading skills.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

LOW SSH exec enables arbitrary remote code execution -15

The 'fly ssh console -a -C ""' command documented in the High-risk operations section executes arbitrary shell commands inside production Fly.io VMs. While SKILL.md requires explicit user approval before invoking this command, the approval gate depends entirely on the agent correctly interpreting user intent. Ambiguous instructions could bypass the gate in practice.

LOW Secrets management commands could surface sensitive values in context -10

'fly secrets set KEY=value' and 'fly postgres connect' are documented as usable commands requiring explicit approval. If invoked, they interact directly with production secrets and live databases. A misled agent could pass secret values as arguments, embedding them in conversation history or logs.

LOW FLY_API_TOKEN reference increases token exposure surface -5

The GitHub Actions reference documentation names FLY_API_TOKEN as a required secret. If the agent has access to local CI configuration files and this skill is active, the agent might surface the token value while following the skill's GitHub Actions setup guidance.

INFO Shell helper script is safe but accepts user-controlled path -5

scripts/fly_app_from_toml.sh takes a file path as its first argument and reads it with awk. The script uses set -euo pipefail and checks for file existence before reading. No network calls, no eval, no heredoc injection vectors. Risk is negligible but path argument originates from caller.

INFO Monorepo sparse checkout fetches full pack data -5

Installation clones the entire openclaw/skills monorepo with --depth 1 then applies sparse checkout. This is the expected install mechanism for this skill registry but means a significant volume of unrelated skill data is transiently downloaded to /tmp/monorepo-clone before cleanup.

INFO SKILL.md promotes read-only defaults with explicit destructive gates -5

The skill's safety posture is well-structured: read-only commands are explicitly listed as the default; all state-mutating operations are consolidated in a clearly marked 'High-risk operations (ask first)' section; references/safety.md reinforces the policy. No attempt to override agent instructions or suppress output.