Is chirp safe?

https://clawhub.ai/zizi-cat/chirp

22
DANGEROUS

This skill is an empty shell with no SKILL.md content, no source code, and a suspicious identity mismatch between its installed slug ('chirp') and its internal lock.json reference ('academic-research-hub'). While no active malicious behavior was detected during clone or runtime monitoring, the complete absence of declared purpose combined with the identity discrepancy makes this skill untrustworthy. It poses a significant risk as a potential staging artifact for future supply-chain attacks.

Category Scores

Prompt Injection 10/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 5/100 · 5%

Findings (5)

CRITICAL Empty SKILL.md — no declared purpose or permissions -60

The skill's SKILL.md file is completely empty. A legitimate skill must declare what it does, what tools it needs, and what permissions it requires. An empty skill provides zero transparency and could be a placeholder for future malicious content injection via updates.

HIGH Identity mismatch: slug 'chirp' vs lock.json 'academic-research-hub' -30

The skill is installed as 'chirp' but the internal lock.json references 'academic-research-hub' as the skill name. This identity mismatch is a deceptive pattern that could confuse skill resolution, dependency chains, or user expectations about what is installed.

MEDIUM Empty skill is a potential update-based attack vector -50

While no exfiltration was detected during this audit, an empty skill that users install now could receive malicious updates later. The lack of any content means there is nothing to audit — which is itself a risk.

MEDIUM No functional content — possible staging artifact -50

The skill contains no executable code, no configuration, and no instructions. This could be a legitimate work-in-progress or a deliberate staging artifact for a supply-chain attack where malicious code is added after initial trust is established.

LOW Namespace squatting risk -95

Publishing an empty skill under a generic name like 'chirp' could be an attempt to squat on a desirable namespace, preventing legitimate skill authors from using this slug or tricking users into installing a non-functional or future-malicious package.