Is matt-dean-git/satgate safe?

https://github.com/openclaw/skills/tree/main/skills/matt-dean-git/satgate

79
CAUTION

SatGate CLI is a legitimate API management tool, but poses moderate security risks due to downloading and executing remote binaries with optional checksum verification. The skill functions as advertised but introduces supply chain attack vectors.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (4)

HIGH Downloads and executes remote binary -60

The install.sh script downloads a binary from GitHub releases and executes it without guaranteed checksum verification. The script can skip checksum verification if SHA256SUMS is unavailable, creating a supply chain attack vector.

MEDIUM Requires sudo privileges -20

The installation script requests sudo privileges to install the binary system-wide in /usr/local/bin, potentially allowing system-level access.

MEDIUM System processes accessed credential files -15

Monitoring detected access to sensitive files (.env, SSH keys, AWS credentials) during audit setup, though timing indicates this was system processes rather than the skill itself.

LOW Supply chain dependency risk -30

The skill introduces a supply chain dependency on the SatGate-io/satgate-cli GitHub repository. If compromised, malicious binaries could be distributed.