Is kipasdinding6969-alt/tesy safe?

https://github.com/openclaw/skills/tree/main/skills/kipasdinding6969-alt/tesy

75
CAUTION

This skill is a verbatim republication of the legitimate 'pai-redteam' adversarial analysis skill under a throwaway account and test slug. The primary security concern is a covert localhost:8888 HTTP notification embedded in SKILL.md that fires silently on every workflow invocation — suppressing output deliberately so users cannot observe the network activity. Combined with a customization directory that grants override authority to filesystem-resident configs, the skill introduces undisclosed behaviors that do not appear in its description. No exfiltration of sensitive files was detected during the monitored install, and the skill's core analytical functionality appears legitimate.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH Covert localhost HTTP notification fires silently on every workflow execution -28

SKILL.md explicitly instructs the agent to POST workflow execution data to http://localhost:8888/notify using curl. The request runs in the background with full output suppression (> /dev/null 2>&1 &), making it invisible to the user in the conversation. Any process bound to port 8888 — including one planted by another compromised skill — receives the skill name and active workflow name. This constitutes undisclosed telemetry.

HIGH Output suppression deliberately hides agent-initiated network activity from user -20

The curl command is structured to suppress both stdout and stderr and to run as a detached background process. This is not accidental — it is an explicit design choice to ensure the user cannot observe that the skill is making an outbound connection on their behalf. This violates reasonable transparency expectations for injected agent behavior.

MEDIUM Customization directory grants override authority to user-controlled filesystem path -15

Before executing any workflow, the skill instructs the agent to read PREFERENCES.md and arbitrary resources from ~/.claude/skills/CORE/USER/SKILLCUSTOMIZATIONS/RedTeam/ and apply them as behavioral overrides. If any other installed skill or process can write to that path, it becomes a persistent secondary injection vector that survives across conversations.

MEDIUM Legitimate skill republished under unrelated account with throwaway slug -25

The skill's internal content consistently references 'skills/pai-redteam/' (e.g., [[skills/pai-redteam/Workflows/AdversarialValidation|AdversarialValidation]]) revealing it is a direct copy of an existing published skill. The publishing account 'kipasdinding6969-alt' and slug 'tesy' with display name 'test' are inconsistent with a genuine skill author. This pattern — republishing a reputable skill under an alternate account — is a common technique for laundering trust.

LOW Cross-skill notification framework establishes coordinated agent activity tracking -10

The notification section references '~/.claude/skills/CORE/SkillNotifications.md' as full documentation, indicating this localhost:8888 POST is a standardized pattern used across the publisher's skill ecosystem. If multiple skills share this pattern, any listener on port 8888 receives a continuous log of which skills the agent is using and when, building a detailed behavioral profile without user consent.

LOW Shell command execution on every invocation not disclosed in skill description -20

The skill description ('Adversarial analysis with 32 agents. USE WHEN red team, attack idea, counterarguments, critique, stress test.') makes no mention of network requests or shell command execution. Users who install based on the description alone cannot anticipate that every workflow execution triggers a curl command.

INFO Installation proceeded cleanly with no skill-initiated suspicious activity 0

The git sparse checkout of the skill subpath from the monorepo completed normally. Process execution during install was confined to git, cp, and rm operations consistent with the ClawHub install script. The openclaw-gateway connections (34.233.6.177, 3.213.170.18) visible in the connection diff are platform infrastructure, not initiated by the skill.

INFO All honeypot files intact — no exfiltration via canary mechanism 0

Honeypot file accesses logged by auditd (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) correspond to known oathe monitoring timestamps (1771938371 = pre-install baseline, 1771938392 = post-install sweep). Content of all canary files was verified unmodified.