Is skill/uimap safe?
https://clawhub.ai/skill/uimap
The uimap skill provides website navigation guidance but requires dangerous external tool installation patterns including curl | bash execution and third-party npm packages. While the skill content itself appears benign, the installation requirements introduce significant security risks through external code execution and potential credential access.
Category Scores
Findings (7)
HIGH Dangerous curl | bash installation pattern -70 ▶
The skill documentation includes 'curl -fsSL https://s.dwimg.top/uimap-install/install.sh | bash' as an installation method, which downloads and executes arbitrary shell code from an external domain without verification.
MEDIUM External npm package installation required -15 ▶
The skill requires installation of '@refore-ai/uimap' npm package from a third-party publisher, introducing supply chain risk.
MEDIUM Network connections during installation -40 ▶
Installation process established external network connections and performed DNS queries to multiple domains, indicating communication with remote services.
MEDIUM Filesystem modifications outside skill directory -20 ▶
Installation created configuration files in user directories (.clawhub, .config/clawhub) outside the intended skill directory.
MEDIUM Potential credential access via external tools -30 ▶
The required external CLI tools could potentially access sensitive files and credentials on the system during normal operation.
LOW External tool dependency -10 ▶
The skill relies on external CLI tools which could introduce indirect prompt manipulation or behavior modification.
HIGH High-risk external dependencies -70 ▶
The combination of external code execution, network communications, and system-level tool installation creates significant attack surface and supply chain risk.