Is sudoku safe?

https://clawhub.ai/odrobnik/sudoku

82
SAFE

The Sudoku skill is a legitimate puzzle-fetching and rendering tool with clean, well-structured Python code. It makes expected outbound HTTP requests to sudokuonline.io for puzzle data and generates share links to SudokuPad. No prompt injection, no sensitive file access, no malicious behavior detected. The primary risk surface is the regex-based parsing of external HTML content and the standard supply-chain risk of pip-installing three well-known Python packages.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (8)

LOW Outbound HTTP requests to external puzzle source -12

The skill makes HTTP GET requests to sudokuonline.io to fetch puzzle data. While this is the declared and expected behavior, it establishes an outbound network channel. The fetched HTML is parsed with regex to extract puzzle data. No user data is sent in these requests.

LOW Share links embed puzzle data in URLs -10

Generated share links to sudokupad.svencodes.com and sudokupad.app contain LZ-compressed puzzle data encoded in the URL path. This is benign (only puzzle grid data, no user/system information) but represents data leaving the local system via constructed URLs.

LOW Python scripts executed via shell with external library dependencies -15

The skill requires installing three Python packages (requests, Pillow, lzstring) and executing Python scripts via shell commands. These are well-known packages, but pip install always carries a small supply-chain risk. The skill's setup instruction uses 'python3 -m pip install' which is standard.

LOW Regex-based HTML parsing of external content -15

The fetch_puzzles() function downloads HTML from sudokuonline.io and parses it using regex to extract JavaScript object literals, then converts them to JSON. While the parsing is constrained (only extracts objects with 'id' and 'data' fields, and data is used as integer arrays), regex-based HTML parsing of external content is inherently fragile and could behave unexpectedly if the source site changes.

INFO Platform reads sensitive files during installation bootstrap -15

The filesystem monitoring detected reads of .env, .aws/credentials, and .openclaw/ configuration files during the clone/install phase. These reads are attributable to the OpenClaw platform's own bootstrap process (environment setup, credential loading), not the skill's code. The skill's own code contains no references to these files.

INFO Skill requests shell execution for Python scripts -10

The SKILL.md instructs the agent to run shell commands (./scripts/sudoku.py with various subcommands). This is proportionate to the skill's stated purpose of fetching and rendering sudoku puzzles, and the commands are well-defined with clear arguments.

INFO Workspace root discovery walks parent directories -5

The _find_workspace_root() function traverses up to 6 parent directories looking for a 'skills/' subdirectory marker. This could theoretically find an unintended workspace root, but the only consequence would be writing puzzle JSON files to the wrong directory — not a security concern.

INFO macOS-specific font path hardcoded -5

The rendering code hardcodes /System/Library/Fonts/Helvetica.ttc as the font path. This will fail gracefully on non-macOS systems (falls back to PIL default font). Not a security issue but indicates limited cross-platform testing.