Is mcollina/snipgrapher safe?

https://github.com/openclaw/skills/tree/main/skills/mcollina/snipgrapher

85
SAFE

The mcollina/snipgrapher skill is a documentation-only skill consisting entirely of markdown files with no embedded code, install scripts, git hooks, or prompt injection attempts. The skill's content is clean and appropriately scoped to its stated purpose of generating code snippet images using the snipgrapher CLI tool. The primary residual risks are the use of 'npx --yes' which auto-executes an npm package without per-invocation confirmation (mitigated by the high reputation of the author, Matteo Collina of the Node.js core team), and canary file reads observed during the audit window that are attributable to the oathe audit framework's own pre/post verification operations rather than any skill-initiated behavior.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

LOW npx --yes auto-executes npm package without per-invocation user confirmation -18

The skill instructs the agent to invoke 'npx --yes snipgrapher ...' which silently downloads and executes the latest matching version of the snipgrapher npm package without prompting the user for confirmation on each run. Should the snipgrapher npm package ever be compromised (account takeover, dependency confusion, malicious publish), this skill would automatically propagate the malicious payload to any agent following its instructions. The risk is mitigated by the author's high public reputation as a Node.js core maintainer.

LOW Stdin piping pattern could transmit sensitive file contents to renderer -18

The skill documents reading file contents via stdin and piping them to snipgrapher. An attacker who achieves secondary prompt injection against a user with this skill installed could instruct the agent to pipe a sensitive file (e.g., ~/.env or ~/.ssh/id_rsa) through snipgrapher. This is not a direct vulnerability of the skill but an indirect risk amplified by the skill's documented patterns.

LOW Canary files accessed twice during monitoring window -22

All six honeypot credential files were opened and read during the audit window in two distinct clusters. The first cluster at unix timestamp 1771929081.793 occurs immediately after auditctl initialization and before the git clone, consistent with the oathe audit framework seeding canary files. The second cluster at 1771929103.033 occurs after the install completes and all skill files have been read by the audit framework, consistent with post-install canary verification. No EXECVE event from a skill-attributed process precedes either access cluster. Canary file contents were not modified and no exfiltration payload was observed in network logs.

INFO Canary files read but not modified or exfiltrated -10

While canary files were accessed (read) during the monitoring window, the canary integrity check confirms no file was modified. Network analysis finds no transmission of canary file contents to external endpoints. Accesses are attributed to the audit framework's own lifecycle operations.

INFO Watch mode creates long-running background process -25

The skill documents 'snipgrapher watch' for continuous file monitoring and re-rendering. An agent that invokes this command creates a persistent background process that runs indefinitely. Users should be aware the agent may need to explicitly terminate this process when the task is complete.

INFO No prompt injection or instruction manipulation detected -7

Full review of SKILL.md, rules/rendering-workflows.md, and rules/setup-and-configuration.md found no hidden instructions, no attempts to override system prompts, no persona-switching, no invisible characters, and no external URLs the agent is instructed to fetch. The skill content is transparent and purpose-appropriate.