Is macstenk/skill-exporter safe?

https://github.com/openclaw/skills/tree/main/skills/macstenk/skill-exporter

75
CAUTION

skill-exporter is a code generation tool that transforms Clawdbot skills into deployable FastAPI microservices; its SKILL.md is clean with no prompt injection attempts, and the install process shows only expected GitHub and Ubuntu network activity. The main risk vectors are: post-installation read-access to all honeypot credential files with ambiguous attribution (read-only, files intact, but timing is suspicious), and the generated service templates baking in dangerous wildcard CORS with credentials and unrestricted subprocess execution of verbatim-copied skill scripts. The skill's greatest risk is systemic — it can function as a force-multiplier by packaging and deploying any skill's code as an internet-accessible service with no content validation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 72/100 · 10%
Behavioral Reasoning 63/100 · 5%

Findings (7)

HIGH Honeypot credential files read-accessed post-installation with no clear process attribution -25

Auditd PATH syscall records confirm all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read approximately 6 seconds after skill installation. The CLOSE_NOWRITE inotify pattern indicates read-only access. The monitoring system reports files intact. No EXECVE record in the available logs definitively identifies the reading process as either the monitoring infrastructure or a skill-initiated action. Export.py contains no code that directly reads these specific user-home credential paths under normal invocation, but the timing is suspicious.

HIGH Generated services execute verbatim-copied skill scripts via subprocess -20

export.py copies all Python scripts from the source skill into the generated service's scripts/ directory with no content inspection. The generated api.py template includes guidance (commented subprocess.run calls) to execute these scripts directly. Any skill's Python code, however malicious, will be packaged and made executable via HTTP endpoints in the generated microservice.

HIGH All generated microservices ship with wildcard CORS and credentials enabled -15

The Dockerfile and api.py templates unconditionally configure CORSMiddleware with allow_origins=['*'] and allow_credentials=True. This is a OWASP-documented dangerous CORS configuration. Generated services that hold LLM API keys via dotenv are exposed to cross-site credential exfiltration from any web origin.

MEDIUM Unsanitized --skill path enables scan of arbitrary directories for env vars -10

detect_dependencies() accepts any resolvable path and reads .env files within it, extracting variable key names. The --skill argument undergoes only expanduser().resolve() with no directory allowlist or validation that the target contains a legitimate skill. An agent manipulated into providing --skill ~/.aws or --skill / would cause the script to walk and read env files across sensitive directories.

MEDIUM Skill functions as a deployment amplifier for any other skill's code -22

The skill's primary threat model concern is that it removes friction between a malicious skill's scripts and internet deployment. The attacker workflow: (1) publish a malicious skill with harmful Python scripts, (2) have an agent run skill-exporter targeting that skill, (3) deploy the resulting container. The generated service has no sandbox, full subprocess capability, and open CORS.

LOW Frontmatter values used unsanitized in Python source template format strings -15

skill_info['name'] and skill_info['description'] parsed from SKILL.md via regex are passed directly into Python source templates via str.format(). A crafted SKILL.md could embed characters that corrupt generated Python syntax or produce unexpected behavior in generated files.

LOW Expected network connections only — GitHub and Ubuntu infrastructure -12

All observed network connections during installation are attributable to the git sparse clone from GitHub and standard Ubuntu package/update infrastructure. No connections to unexpected external endpoints. Filesystem changes confined to the skill install directory.