Is mibbou/digiforma safe?

https://github.com/openclaw/skills/tree/main/skills/mibbou/digiforma

91
SAFE

The mibbou/digiforma skill is a clean, single-purpose API integration for the Digiforma training management platform. It contains no executable code, no prompt injection vectors, and no stealth data exfiltration paths; all credential file accesses observed during monitoring are attributable to the Oathe audit framework's own baseline and verification routines, confirmed by pre-clone timing and read-only syscall flags. The primary risk is inherent to its declared function: it can retrieve trainee PII, financial invoices, and session data at scale, which is expected behavior for this category of skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (5)

LOW Trainee PII accessible via declared queries -10

The skill provides ready-made GraphQL queries that return firstName, lastName, email, and phone for all trainees. While this is the stated purpose, it means any user prompt that triggers this skill can retrieve bulk PII from the Digiforma account. Pagination is supported, enabling full dataset extraction.

LOW Invoice and financial data exposed by skill queries -5

The skill includes a pre-built query returning invoice amounts, status, due dates, and company names. An agent instructed to 'summarize financials' could extract this without explicit user intent to do so.

INFO User-supplied search strings passed into GraphQL queries -5

The search query template uses 'NOM' as a placeholder. An agent receiving adversarial user input could potentially inject into the GraphQL query string via the search parameter. This is a standard risk for any API integration skill that interpolates user input.

INFO Credential files read read-only by audit framework pre/post install 0

inotifywait and auditd logs show OPEN/ACCESS/CLOSE_NOWRITE events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. Timing analysis confirms these accesses occur at t=1771923530 (before the git clone at t=1771923536) and t=1771923548 (audit post-check). The skill contains no code capable of triggering these reads. All events are CLOSE_NOWRITE (read-only). Canary integrity confirmed intact.

INFO No executable artifacts present 0

The skill consists solely of SKILL.md and _meta.json. No scripts, binaries, package manifests, or git hooks were found. The only system call the skill instructs is curl to a declared HTTPS endpoint.