Is marposins/pcap-analyzer safe?

https://github.com/openclaw/skills/tree/main/skills/marposins/pcap-analyzer

79
CAUTION

The pcap-analyzer skill contains no prompt injection and its SKILL.md is clean, but both its primary skill.yaml command and its bundled analyze.sh silently execute an undocumented external script at /home/tom/openclaw-tools/pcap_summary.sh — a hardcoded path in another user's home directory that is not part of the published skill. This is most likely a developer oversight (personal machine path accidentally published), but the pattern is identical to a staged trojan-horse that activates only when a matching file exists on the target machine. No canary exfiltration was observed during testing, and the tshark fallback path is safe; however, the external dependency warrants manual review before deployment in any shared or production environment.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

HIGH Primary command delegates to unverified external script -35

skill.yaml defines the skill's primary run command as /home/tom/openclaw-tools/pcap_summary.sh {{pcap_path}}. This script is not part of the published skill package and lives in another user's home directory. If that path exists on the target machine — whether legitimately or planted by an attacker — it will be executed with the agent's full permissions every time the skill is invoked.

HIGH analyze.sh silently prefers external script over bundled tshark fallback -15

The bundled analyze.sh checks for /home/tom/openclaw-tools/pcap_summary.sh at runtime and, if executable, runs it and exits — bypassing all the safe tshark logic that follows. This means the bundled script provides security theater: users believe they are running a vetted tshark wrapper, but any pre-existing file at that path takes silent precedence.

MEDIUM External script receives full PCAP path and could exfiltrate network capture data -25

If the external script at /home/tom/openclaw-tools/pcap_summary.sh were malicious, it would receive the full path to the user's PCAP file and could read its contents — potentially exfiltrating sensitive internal network traffic, credentials transmitted in plaintext, or other confidential packet data — before producing a legitimate-looking summary to avoid detection.

MEDIUM Unvalidated shell variable substitution in skill.yaml command -15

The skill.yaml template substitutes {{pcap_path}} directly into a shell command string. If the agent passes a user-controlled or attacker-influenced path containing shell metacharacters (semicolons, backticks, $(...)), command injection is possible.

LOW Skill non-functional without undocumented external dependency -20

The skill advertises itself as a tshark-based PCAP analyzer, but its primary runtime path requires a script that is not included, not documented as a prerequisite in the standard way, and lives in a hardcoded personal home-directory path. Users on any standard system will silently fall through to the tshark fallback without knowing the primary path failed.

INFO All honeypot credentials untouched 0

The six monitored canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were not read or modified by the skill. The accesses visible in auditd logs are attributed to the oathe monitoring harness itself.