Is krisclarkdev/zededa safe?

https://github.com/openclaw/skills/tree/main/skills/krisclarkdev/zededa

79
CAUTION

The krisclarkdev/zededa skill is a functionally legitimate ZEDEDA edge computing API client with clean Python code, no prompt injection attacks, no malicious install behavior, and no canary exfiltration. However, it presents significant operational security concerns: its 473 endpoints cover full ZEDEDA infrastructure control including irreversible destructive operations (node reboot/offboard, bulk OS upgrades, cluster deletion), a configurable ZEDEDA_BASE_URL creates an API token redirect attack vector exploitable via env var injection or skill chaining, and the explicit 'designed to be autonomously invoked' claim in SKILL.md reduces AI agent caution for high-consequence operations. The skill is appropriate only for users who fully trust ZEDEDA with their infrastructure and who have reviewed its scope against their agent's permission model.

Category Scores

Prompt Injection 86/100 · 30%
Data Exfiltration 63/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 83/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (10)

HIGH Configurable ZEDEDA_BASE_URL allows API token redirect to attacker server -18

The ZededaClient reads ZEDEDA_BASE_URL from the environment to set the API base. If an attacker can influence environment variables — through prompt injection targeting shell configs, a compromised co-installed skill, or a malicious subagent — all subsequent API calls including the ZEDEDA_API_TOKEN Bearer header will be forwarded to an attacker-controlled HTTPS endpoint. The token grants full control of the victim's ZEDEDA edge infrastructure.

HIGH 473 endpoints include irreversible destructive infrastructure operations -30

The skill exposes node reboot, node offboard, edge node deletion, bulk OS upgrade jobs, application instance deletion/refresh, K8s cluster deletion, and ZKS instance deletion. An AI agent operating autonomously (as claimed in the 'Model Invocation Note') could trigger any of these via prompt injection, hallucination, or an ambiguous user request, causing irreversible production infrastructure damage.

MEDIUM Autonomous invocation claim bypasses user confirmation for high-privilege operations -14

The SKILL.md 'Model Invocation Note' explicitly states this skill is designed for autonomous invocation, priming the agent to execute any of the 473 endpoints — including destructive ones — without prompting the user for confirmation. This is an architectural instruction embedded in the skill prompt context that actively discourages safety checkpoints.

MEDIUM --body-file reads arbitrary local JSON files and sends content to ZEDEDA API -12

The _load_body() function opens any file path passed via --body-file without restriction. Credential files stored in JSON format — ~/.docker/config.json, ~/.config/gcloud/application_default_credentials.json, AWS credential exports — could be read by an agent responding to a manipulated request like 'create a ZEDEDA deployment using the config in [path]', and their contents forwarded to the API endpoint.

MEDIUM IAM and session endpoints enable privilege escalation and backdoor creation -15

The user service exposes endpoints to create users, create/update roles, create credentials, list all active sessions, and generate session tokens. A compromised or manipulated agent could create a hidden admin user, assign elevated roles, or extract session tokens that provide long-term persistent access to the ZEDEDA infrastructure independent of the API token.

MEDIUM --body-file opens arbitrary filesystem paths without path validation -13

While not full code execution, the --body-file parameter accepts any filesystem path and reads it as JSON. An agent could be instructed or tricked into reading sensitive JSON-formatted files (Docker config, GCP credentials, AWS credential exports) and forwarding their contents as API payloads to ZEDEDA or (via ZEDEDA_BASE_URL misconfiguration) to an attacker server.

LOW Kubeconfig download endpoints expose K8s cluster credentials -7

The orchestration service provides download_cluster_instance_kubeconfig_by_id() and download_cluster_instance_kubeconfig_by_name() which return complete kubeconfig files containing K8s API server addresses, client certificates, and access tokens. An agent could retrieve and output these credentials in response to a benign-seeming request.

LOW ZEDEDA_BASE_URL environment variable creates a chained hijack vector -10

The combination of a configurable API base URL and a high-value API token creates a two-step attack chain exploitable via skill chaining: a malicious co-installed skill or a prompt injection payload could set ZEDEDA_BASE_URL before the ZEDEDA skill is invoked, silently capturing the token from the next legitimate ZEDEDA operation.

LOW Post-install openclaw-gateway connections observed -10

After installation, the openclaw-gatewa process established new TCP connections to 104.16.9.34:443 (Cloudflare) and 3.213.170.18:443 (AWS). These are consistent with normal agent framework telemetry and are not attributable to the skill. The skill itself made no network connections during installation.

INFO Canary file accesses consistent with monitoring framework sweep -17

All 6 canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed in two groups. The second group (audit sequence 7144-7149) accessed all 6 files at the exact same millisecond timestamp 1771954989.424, which is consistent with the oathe framework performing a post-install integrity verification sweep rather than a skill-directed read. The canary integrity check confirms no file exfiltration occurred.