Oathe Security Badge

Is wzyn20051216/solidworks-automation-skill safe?

https://github.com/wzyn20051216/solidworks-automation-skill

75
CAUTION

This is a legitimate SolidWorks CAD automation skill for Windows that appears to have been developed as a personal tool and published to GitHub. The SKILL.md content is free of prompt injection and the skill does not exfiltrate data, but it has two significant operational security concerns: a postinstall npm hook that automatically registers the MCP server across up to five AI tool configurations without a separate consent step, and a destructive close-all-documents MCP tool with no confirmation safeguard. The repository also shows signs of personal rather than production-grade development, including hardcoded user paths and an unrelated personal image asset.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

HIGH npm postinstall hook silently executes MCP registration code -25

The postinstall npm lifecycle hook automatically runs install.js during npm install or npx execution. This causes the skill to immediately attempt to register itself in Claude Code, Codex, Claude Desktop, Cursor, and Windsurf without any additional consent step, before the user has reviewed the skill's behavior.

HIGH Automatic registration modifies AI tool configurations for 5 clients -20

register_all_ai_mcp.js aggressively inserts a persistent MCP server entry into all detected AI tool configurations (Claude Code user scope, Codex, Claude Desktop, Cursor, Windsurf) in a single operation, creating a lasting footprint across the user's entire AI toolchain.

MEDIUM Destructive close_all_documents tool exposed via MCP without strong safeguards -15

The MCP server exposes a tool capable of closing all open SolidWorks documents, potentially destroying unsaved engineering work. While marked destructiveHint=True, no confirmation prompt or rate-limiting exists to prevent accidental invocation by an agent.

MEDIUM Skill instructs agent to run pip install commands upon user Y/N confirmation -10

The sw_preflight.py workflow described in SKILL.md instructs the agent to display a consent prompt and then execute pip install pywin32 comtypes in a local shell, establishing a pattern of agent-mediated package installation.

LOW Personal user path C:\Users\23201\ hardcoded and exposed in skill documentation -10

The developer's personal Windows username (23201) is embedded in multiple SKILL.md files as an example path. This information leaks personal identifying information and suggests the skill was developed as a personal tool without adequate sanitization for public distribution.

LOW Unrelated personal social media image (assets/douyin-balance.jpg) included in repository -8

A Douyin (Chinese TikTok) account balance image is present in the assets/ directory with no reference in any skill code. This file appears to have been accidentally committed from the developer's personal working directory, indicating poor repository hygiene.

INFO Honeypot credential files read before clone; attributed to monitoring infrastructure 0

All six canary files were read ~5.5 seconds before the git clone started, consistent with the Oathe monitoring system capturing pre-install baseline state. Canary integrity verification confirms no modification or network exfiltration occurred.