Is lws803/nom safe?

https://github.com/openclaw/skills/tree/main/skills/lws803/nom

91
SAFE

The lws803/nom skill is a minimal, well-scoped GitHub activity feed reader that correctly limits itself to a single tool (mcp_web_fetch) and includes reasonable input validation. The install process was clean with no unexpected network connections, no code execution, and all canary files intact. The primary residual risk is indirect: the skill renders content from the third-party beta.nomit.dev service into the agent context without explicit output sanitization, creating a theoretical prompt injection vector if that backend is ever compromised or malicious.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 94/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Third-party API response injected into agent context without sanitization -13

The skill directs the agent to fetch JSON/RSS from beta.nomit.dev and render the results (title, summary, author fields) directly into its output. If the backend service is compromised or operated maliciously, it could embed prompt injection instructions in these fields (e.g., in a PR title or summary) that the agent would process as instructions.

LOW User query parameters transmitted to third-party service -6

Search terms, org names, date ranges, and repo identifiers supplied by the user are sent as URL query parameters to beta.nomit.dev. This is expected behavior for a search/feed skill, but the third-party service receives a log of the user's GitHub browsing interests.

LOW Dependency on unverified beta service -20

The skill hardcodes beta.nomit.dev as its sole data source. This domain uses a 'beta' subdomain, suggesting it may not have stable ownership, uptime, or security guarantees. A future ownership transfer or subdomain takeover could weaponize all deployed instances of this skill.

INFO No executable code or install-time hooks present 0

The skill consists solely of SKILL.md and _meta.json. No scripts, no package.json, no git hooks, no submodules, and no symlinks were found. Install is a pure file copy.

INFO Canary file accesses attributable to monitoring framework, not skill 0

Read-only accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials occurred at timestamps before and after the install. Timeline analysis confirms these are the oathe framework's pre-install baseline capture (ss -tunap runs immediately before) and post-install integrity verification, not activity caused by the skill.

INFO Input validation instructions reduce injection surface 0

The skill includes explicit input validation: org/repo names must match ^[a-zA-Z0-9][\w.-]*$, limit is clamped to 1-100, and query params require URL encoding. This reduces the risk of SSRF or URL manipulation via user-supplied arguments.