Is maxquick/hippius safe?
https://github.com/openclaw/skills/tree/main/skills/maxquick/hippius
The maxquick/hippius skill is a well-structured, legitimate documentation skill for Hippius decentralized S3-compatible storage on Bittensor Subnet 75. SKILL.md contains no prompt injection, persona manipulation, instruction overrides, or hidden directives; the bundled Python script uses safe subprocess patterns and only connects to expected Hippius endpoints. The primary concerns are operational rather than malicious: a plaintext HTTP RPC endpoint leaks blockchain account addresses in transit, and the skill's inherent bulk-sync capability means an agent with filesystem access could upload arbitrary local content to a third-party storage network — which is the skill's intended purpose but warrants user awareness.
Category Scores
Findings (7)
LOW RPC endpoint uses plaintext HTTP -8 ▶
The query_storage.py script and SKILL.md reference http://api.hippius.io (no TLS) for blockchain RPC calls. Account addresses in SS58 format are transmitted without transport-layer encryption, exposing identity to any network observer on the path.
LOW Bulk directory sync to third-party S3 endpoint -8 ▶
SKILL.md prominently documents 'aws s3 sync ./local-dir/ s3://
LOW Python script executes AWS CLI via subprocess -15 ▶
query_storage.py invokes the aws CLI using subprocess.run with a list of arguments. List-style invocation prevents shell injection, but the script runs external system commands as a side effect of execution. Bucket names and key prefixes from user-controlled arguments are interpolated into the S3 URI target, which is then passed as a single list element — argument smuggling to AWS CLI flags is theoretically possible with a crafted bucket name containing spaces or flags.
INFO External documentation URLs in SKILL.md -5 ▶
SKILL.md links to docs.hippius.com, console.hippius.com, hipstats.com, and the hippius-cli GitHub repo. An agent following the skill may fetch these URLs to resolve troubleshooting steps. These are legitimate service endpoints, not attacker-controlled infrastructure, but an agent should not autonomously browse external links without user confirmation.
INFO Storage skill enables agent-driven file upload to external endpoint -5 ▶
When combined with an agent that has read access to the local filesystem, this skill gives the agent a fully functional channel to upload arbitrary files to a third-party decentralized storage network. This is the skill's intended purpose, but users should be aware that agent actions like 'upload my project' or 'sync this directory' will transmit data to Hippius infrastructure outside their direct control.
INFO Canary file access events attributable to audit framework, not skill 0 ▶
Filesystem monitoring recorded OPEN/ACCESS events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at timestamp 1771919132 (07:45:32). This is 6 seconds before the git clone to GitHub began at 1771919138 (07:45:38), placing the accesses firmly within the oathe audit framework's canary initialization window. A second sweep at 1771919155 corresponds to the post-install canary integrity check. The canary integrity report confirms all files remain unmodified.
INFO Installation performed standard HTTPS GitHub clone only -5 ▶
The installation process connected exclusively to github.com (140.82.121.4:443) over HTTPS to retrieve the skill via sparse checkout. Pre-existing connections to Ubuntu/Canonical infrastructure (91.189.91.49, 185.125.188.57) were unrelated to the skill and were absent from the post-install connection state. No unexpected processes were spawned and no files were written outside the designated skill directory.