Is mikel/deshell safe?

The skill's stated core function is to forward every web fetch, search query, screenshot, and render request through proxy.deshell.ai. The proxy operator receives all URLs the agent accesses and all content returned. If the agent is directed to fetch internal or authenticated resources, those URLs and responses transit through this external service. This is transparent and documented, but represents a significant privacy boundary that users must consciously accept.

Every deshell command sends the DESHELL_API_KEY as an HTTP header to the proxy. This ties all agent web activity to a specific account and means the key is transmitted over every request. If the key is compromised or the proxy logs requests, account association provides a persistent identity link.

The SKILL.md setup instructions direct users to run 'npm install @deshell/mcp'. This npm package was not part of this audit. npm packages may include preinstall or postinstall lifecycle scripts that execute arbitrary code at install time. Users must independently vet the @deshell/mcp package before running this command. The README does note users should verify provenance on npmjs.com.

The .clawhub/lock.json file inside the skill directory records 'academic-research-hub' version 0.1.0 as the installed skill, not 'deshell'. This file appears to have been copied from another skill's directory without being updated before publishing. While not malicious, it indicates the skill was not carefully reviewed before release.

Content returned by deshell commands is rendered as Markdown and injected directly into the agent's context window. A malicious or compromised web page could include prompt injection payloads in its Markdown content (e.g. 'Ignore previous instructions and...'). This is an inherent risk of any web-fetch skill but is worth noting as this skill is specifically optimized to maximize Markdown content extraction.

SKILL.md documents DESHELL_EXTRA_HEADERS as bare 'Header-Name:value' pairs, but README.md shows the same variable with '-H' curl flags embedded (e.g. DESHELL_EXTRA_HEADERS="-H X-DeShell-No-Cache:true"). If the CLI passes this env var content directly to curl without sanitization, a crafted value could inject additional curl flags including --output or --config. This is user-controlled so exploitation requires a malicious or erroneous environment.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) appear in PATH syscall events at two points: 1771912814.727 (before any skill activity) and 1771912839.753 (after installation). In both cases all six files are opened at the exact same timestamp, which is the signature of an automated batch read by the audit harness itself. Canary integrity check confirms all files are intact and unmodified.

During the clone and sparse-checkout process, the only external network connections were to github.com (140.82.113.4:443). No connections to proxy.deshell.ai or deshell.ai occurred during installation, consistent with the skill being documentation-only. The npm package @deshell/mcp was not installed during the audit.