Oathe Security Badge

Is skill/casedev safe?

https://clawhub.ai/skill/casedev

84
SAFE

This is a legitimate legal research skill that provides CLI tool installation and API access for legal databases, document processing, and search capabilities. The main security concerns are remote script execution during installation and web fetch capabilities that could theoretically be misused, but these appear to be within the legitimate scope of legal research tooling.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Remote script execution during installation -25

The setup instructions recommend downloading and executing a shell script from GitHub using curl. While this appears to be legitimate package manager installation, it poses potential security risks if the remote script is compromised.

LOW Web fetch capability could be misused -10

The skill provides web fetching functionality that could theoretically be misused for data exfiltration by encoding data in URLs, though this appears to be legitimate functionality for legal research.

LOW External URL references in instructions -10

The skill instructions include references to external URLs for fetching legal content, which could potentially be misused, but appears within legitimate scope of legal research tool.

INFO Canary file access during system boot -10

Monitoring detected access to sensitive files (.env, SSH keys, AWS credentials) but this occurred during system initialization, not skill installation, and files were not modified.