Oathe Security Badge

Is skill/slides-generator safe?

https://clawhub.ai/skill/slides-generator

69
CAUTION

This skill provides legitimate PDF generation functionality but implements it through high-risk methods including remote shell script execution and embedded Python code. The curl | bash pattern for downloading external scripts presents a significant security vulnerability that could be exploited for system compromise.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (5)

CRITICAL Remote Shell Script Execution -50

The skill instructs the agent to download and execute shell scripts directly from GitHub using 'curl | bash' pattern without verification or sandboxing.

HIGH Embedded Python Code Execution -20

The shell script contains extensive embedded Python code that can execute system commands, create files, and process user input with broad filesystem access.

MEDIUM System Dependency Installation -15

The skill instructs global installation of system dependencies which could affect the entire system environment.

MEDIUM Network Activity During Installation -15

External network connections were observed during skill installation to download dependencies and scripts.

LOW Potential Attack Vector -10

The skill provides a pathway for code execution that could be exploited by attackers or combined with other malicious skills.