Is mackhendricks/dsiprouter-skill safe?

https://github.com/openclaw/skills/tree/main/skills/mackhendricks/dsiprouter-skill

87
SAFE

This is a legitimate dSIPRouter API client skill that provides wrapper functions for making HTTP calls to dSIPRouter REST endpoints. The skill contains no malicious code or data exfiltration attempts, with only minor security concerns around bash eval usage and potential for misuse if the user's environment is compromised.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

MEDIUM Use of eval in bash script -25

The bash script uses 'eval echo' for path parameter substitution, which could potentially execute arbitrary code if malicious input is provided. While the usage appears controlled within hardcoded paths, eval should generally be avoided in shell scripts.

LOW Potential for API misuse if environment compromised -10

The skill allows making API calls to any dSIPRouter instance via environment variables. If an attacker compromises the user's environment, they could potentially use this skill to interact with internal/private dSIPRouter instances or perform unauthorized operations like user management or service reloads.