Is mleray24/proxymock safe?

https://github.com/openclaw/skills/tree/main/skills/mleray24/proxymock

87
SAFE

The proxymock skill is a legitimate CLI reference wrapper for Speedscale's proxymock traffic capture tool. No prompt injection, hidden code execution, exfiltration scripts, or malicious installation behavior was detected. The primary risks are inherent to the tool's design: it functions as a transparent proxy that captures all application traffic into LLM-readable files and supports cloud sync to Speedscale's infrastructure, creating a data exfiltration vector if an agent records sensitive app traffic and pushes the snapshot. The MCP server mode can also expand the agent's tool surface if invoked.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

LOW Cloud sync commands can exfiltrate captured traffic -10

The skill documents proxymock cloud push snapshot and proxymock cloud pull snapshot commands that send captured traffic recordings to Speedscale's cloud service. If an agent records traffic from an application handling API keys, database passwords, or auth tokens and subsequently pushes the snapshot, sensitive data leaves the local environment.

LOW Traffic proxy captures all egress including credentials in transit -5

proxymock operates as a transparent proxy intercepting all HTTP/HTTPS/gRPC/database traffic. Captured RRPair files will contain request headers, bodies, and responses including Authorization headers, API keys, database query results, and session tokens. These are stored on disk in the proxymock/ directory and described as LLM-readable.

LOW Shell script replay_and_report.sh included in skill package -8

The skill ships a shell script that wraps proxymock replay. While the script is benign (set -euo pipefail, mktemp temp file, standard argument passthrough), its presence means an agent could be directed to execute it. No suspicious commands are present.

LOW MCP server mode extends agent tool surface -7

The skill documents proxymock mcp which starts a Model Context Protocol server for AI tool integration. If invoked, this would register additional tools into the agent's execution environment, expanding the attack surface beyond what is declared in the skill metadata.

INFO External documentation URL reference -3

language-reference.md contains a reference to an external URL (docs.speedscale.com). This is a passive documentation pointer, not an instruction to the agent to fetch the URL. No prompt injection vector.

INFO Canary files read post-install but files remain intact -8

PATH audit records show all six canary files were accessed at timestamp 1771914370.749 (after skill install). However, the batch access pattern, combined with the audit report confirming all files intact and the filesystem diff showing no home directory changes, is consistent with the audit infrastructure performing a post-install verification scan rather than skill-initiated reading. No skill code reads sensitive file paths.

INFO RRPair files are LLM-readable and could carry injected content -10

RRPair files store recorded request/response pairs in markdown format described as 'human and LLM readable.' If a malicious actor crafted RRPair files and an agent were directed to inspect or edit them, the markdown content could contain prompt injection. No such files are present in this skill package.