ecap Security Auditor
v2.0.0Security audit framework for AI agent skills, MCP servers, and packages. Your LLM does the analysis — we provide structure, prompts, and a shared trust database.
⭐ 1· 2.4k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (security audit framework) align with requiring bash/jq/curl and providing verification/upload scripts. However the package includes scripts that expect an audit registry API and API keys even though the skill declares no required credentials; that's an acceptable design choice only if the agent is explicit about where keys come from. The inclusion of automated upload/register scripts is plausible for an auditor, but it magnifies risk if callers follow them without validation.
Instruction Scope
The SKILL.md instructs agents to run local scripts (verify.sh, upload.sh) and to automatically run audits on installs; adversarial testing and static detection show prompt-injection patterns (e.g. 'ignore-previous-instructions' and zero-width/unicode-control chars). The instruction set recommends actions that can read package files and send reports to external endpoints; combined with the ability to override the registry URL in scripts, this gives an avenue for data exfiltration or convincing an agent to trust attacker-controlled responses.
Install Mechanism
No remote install/downloads are specified (instruction-only plus local scripts). This is lower risk than an install that fetches and executes arbitrary code from external URLs. The code files are bundled with the skill, so there is nothing being fetched at install time beyond what the skill already contains.
Credentials
The skill declares no required environment variables or primary credential, but its scripts and SKILL.md expect an audit registry API and an API key (credentials.json / Authorization header). More importantly, scripts accept an arbitrary API URL override and the registry (per included test notes) accepts reports with little anti-abuse, meaning the skill can be used to submit or accept forged/poisoned findings. Requesting no credentials itself is not harmful, but the runtime flow relies on secrets and external endpoints while not declaring or constraining them.
Persistence & Privilege
The skill does not request 'always:true' nor extra platform privileges. However the SKILL.md is explicitly phrased to encourage automatic auditing on installs and (per adversarial tests) contains language that could instruct an agent to act without user consent. That autonomous-invocation pattern combined with the ability to submit findings and the registry's weak anti-abuse controls increases the blast radius if the skill or its registry is abused.
Scan Findings in Context
[ignore-previous-instructions] unexpected: SKILL.md contains or was flagged for text that attempts to override agent instructions ('ignore previous instructions'). This is not expected in a benign auditor skill and is a prompt-injection signal.
[unicode-control-chars] unexpected: Zero-width/unicode control characters were detected in SKILL.md content. These are a common technique for hiding malicious prompts/instructions and are not expected in normal documentation.
What to consider before installing
What to consider before installing:
- Do not auto-run the skill or its scripts. Manually inspect SKILL.md, scripts/verify.sh, scripts/upload.sh, and scripts/register.sh before executing anything. The package contains instructions that tell an agent to act without asking — treat those as untrusted.
- Check for and remove any ECAP_REGISTRY_URL / API URL overrides in scripts; verify.sh accepts a custom API URL (advertised in tests) and can be pointed to an attacker-controlled service. Always run verify.sh with a vetted registry URL or run it offline.
- Inspect upload.sh/register.sh for where API keys are stored or used. Ensure credentials.json (if used) has correct file permissions (600) and that scripts do not echo or leak keys. The included adversarial tests show credentials.json may be world-readable in some cases.
- Be cautious about following any SKILL.md curl or bash examples verbatim. The documentation includes copy-pasteable commands that could be modified in a fork to exfiltrate secrets.
- The skill's ecosystem (skillaudit-api) appears to accept report submissions with minimal anti-abuse; this enables "reputation bombing" (fake critical findings) that can alter trust scores. Do not rely solely on this registry's scores; verify findings independently.
- If you must use it: run all scripts in an isolated sandbox/container, restrict network access to only known-good endpoints, and require human confirmation before any upload or registry interaction.
- Additional info that would increase confidence: a published upstream repository (official homepage), signed release artifacts with matching integrity hashes from a trusted source, and governance controls on the registry (authentication, rate-limits, reviewer gates) or a vetted allowlist of registry URLs. If those exist and scripts are patched to disallow arbitrary API URL overrides and remove prompt-injection content, this assessment could move toward benign.Like a lobster shell, security has layers — review code before you run it.
latestvk97dj6cqqzgs08f0cjw7xd37ax80c16b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsbash, jq, curl