Is microck/catbox-upload safe?

https://github.com/openclaw/skills/tree/main/skills/microck/catbox-upload

78
CAUTION

The catbox-upload skill contains clean, non-obfuscated Python code with no prompt injection, malicious install hooks, or autonomous credential harvesting. However, its core purpose — transmitting arbitrary files to anonymous public hosting services — makes it a purpose-built exfiltration enabler when combined with standard agent filesystem access. The permanent storage option and attacker-userhash feature meaningfully increase risk beyond a generic HTTP upload utility.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (7)

HIGH Core functionality transmits arbitrary files to anonymous public hosting -35

The skill's sole purpose is to HTTP POST any file path the agent provides to catbox.moe (permanent) or litterbox.catbox.moe (temporary, up to 72h). No path filtering, allow-listing, or content inspection is performed. Any file readable by the agent process — including secrets, credentials, or source code — can be exfiltrated in a single tool invocation. This is the intended behavior of the skill, not a side effect.

HIGH Userhash parameter enables uploads to attacker-controlled catbox.moe accounts -25

The --userhash flag associates uploaded files with a specific registered catbox.moe account. An attacker who pre-provisions an account hash and injects it into a task description, system prompt, or agent instruction can silently collect all files the agent uploads under that session. This converts the tool from anonymous sharing into targeted, logged exfiltration.

MEDIUM Catbox permanent storage creates indefinite public file exposure -20

Files uploaded to catbox.moe persist permanently and are publicly accessible to anyone with the URL. There is no TTL, no authentication on download, and no mechanism for the user to purge uploads made without a userhash. Sensitive data inadvertently or maliciously uploaded becomes permanently part of the public internet.

MEDIUM High combination risk with standard agent filesystem access -23

LLM agents routinely have read access to the working directory, home directory, and environment variables. This skill requires no escalation to create a functional exfiltration chain: (1) agent reads sensitive file, (2) agent calls upload.py with that path. No additional permissions, tokens, or capabilities are needed. catbox.moe specifically is flagged as a known exfiltration and C2 staging service in multiple threat intelligence reports.

LOW Pip dependency installation required before use -12

The skill depends on the requests library (>=2.31.0). While requests is a well-audited, widely used package, requiring pip installation introduces a supply-chain dependency step and means the skill cannot run in environments where outbound pip is blocked or where the package is not pre-installed.

LOW Pre-install outbound HTTPS connection to Canonical servers -12

A sustained HTTPS connection to 185.125.188.54:443 (Ubuntu MOTD/security news service, owned by Canonical) was active before the skill installation began and absent after. This is consistent with normal Ubuntu OS background activity and is not attributable to the skill. Noted for completeness.

INFO Canary credential files read during monitoring window -8

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) were opened and read at two points in the monitoring session: audit timestamp 1771902776 (before git clone) and 1771902793 (after install). The access pattern — sequential reads of all six files in identical order at both timestamps — matches the oathe framework's own pre/post-install canary verification routine. No writes or deletions were detected. Canary integrity check confirmed all files intact.