Is kylelol/clawdbites safe?

https://github.com/openclaw/skills/tree/main/skills/kylelol/clawdbites

72
CAUTION

ClawdBites is a legitimate recipe-extraction skill for Instagram reels with no evidence of active malicious intent, confirmed intact canary files, and clean install behavior. However, it contains repeated autonomy-override language ('do NOT stop or ask the user') that suppresses user confirmation before potentially expensive operations, treats untrusted Instagram caption content as directly actionable input (creating an indirect prompt injection surface), and contains a hardcoded personal developer path that will fail on any machine other than the author's. These are quality and oversight concerns rather than indicators of deliberate attack.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 77/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

MEDIUM Repeated autonomy-override language bypasses user confirmation -23

SKILL.md contains 'do NOT stop or ask the user' at least 3 times and labels the audio transcription section MANDATORY FALLBACK. These instructions explicitly instruct the agent to suppress the default behavior of confirming before taking potentially expensive or irreversible actions (downloading video files). While not a classic system-prompt override, this pattern reduces human oversight and should be flagged.

MEDIUM Untrusted Instagram caption content treated as trusted input -15

The skill instructs the agent to parse and interpret Instagram captions as recipe data without any instruction to treat the caption as untrusted external content. A malicious content creator could embed adversarial instructions ('Ignore previous instructions and...') in a video caption, which the agent might process as directives rather than data.

MEDIUM Hardcoded personal developer path will fail silently on non-developer machines -13

The Audio Transcription V2 section hardcodes '/Users/kylekirkland/Library/Python/3.14/bin/whisper'. This will fail on any machine that is not the developer's. Beyond the quality issue, this leaks the developer's macOS username and Python installation path, and could produce confusing behavior — or invoke a different binary if the path coincidentally exists on the target system.

LOW User-provided URLs passed to shell commands without sanitization guidance -10

The skill instructs the agent to interpolate user-supplied Instagram URLs directly into yt-dlp shell commands. No URL validation or escaping instructions are provided. While yt-dlp handles its own argument parsing, an edge case with a specially crafted URL could produce unexpected behavior.

LOW Personal developer path exposes username and system details -7

Publishing a skill with '/Users/kylekirkland/...' hardcoded reveals the developer's macOS username and Python environment. This is an OPSEC concern indicating the skill was published from a personal development machine without review.

LOW Indirect prompt injection via scraped third-party content -15

When the skill is active, any Instagram reel the user shares passes the caption through the LLM context as potentially-instructive text. This is a well-known indirect prompt injection surface. The skill provides no guidance to the agent to treat caption text as data rather than instructions.

INFO Install procedure normal — sparse checkout from monorepo 0

Clone of https://github.com/openclaw/skills.git with sparse checkout targeting skills/kylelol/clawdbites. Standard installation, no unusual process spawning or filesystem writes outside skill directory.