fairygitmother Security Report — Low Risk | ClawSafe

10 /100

fairygitmother

Experimental skill for distributed open source issue fixing via FairygitMother grid

FairygitMother is a documented grid-computing skill that connects to an external API to receive, solve, and submit GitHub issue fixes. All declared capabilities match actual usage with no hidden functionality.

Skill Namefairygitmother

Duration35.0s

Enginepi

✓

Safe to install

Approve for use. The skill's external API calls and code submission mechanism are fully documented in SKILL.md. Verify the fairygitmother.ai endpoint is trusted before deployment.

Findings 2 items

Severity	Finding	Location
Low	External API dependency Doc Mismatch The skill connects to fairygitmother.ai for grid coordination. Code diffs are submitted to an external service. This is documented but creates dependency on external infrastructure. `https://fairygitmother.ai` → Verify the external service is trusted and has appropriate security practices before deployment	`SKILL.md:9`
Low	Workspace dependency references Supply Chain package.json references workspace dependencies (@fairygitmother/core, @fairygitmother/node) which are not present in the skill directory. `"@fairygitmother/core": "workspace:*"` → Ensure workspace dependencies are available during installation or pin to specific versions	`package.json:13`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`READ,WRITE`	`READ,WRITE`	✓ Aligned	SKILL.md lines 19-34: reads/writes patrol-state.json and credentials.json
Network	`READ`	`READ`	✓ Aligned	SKILL.md lines 52-71: curl to fairygitmother.ai API
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md lines 52-207: curl commands throughout
Environment	`READ`	`READ`	✓ Aligned	SKILL.md line 9: requires GITHUB_TOKEN
Skill Invoke	`NONE`	`NONE`	—	No skill_invoke usage found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser access found
Database	`NONE`	`NONE`	—	No database access found

6 findings

🔗

Medium External URL 外部 URL

https://fairygitmother.ai

SKILL.md:9

🔗

Medium External URL 外部 URL

https://fairygitmother.ai/api/v1/nodes/register

SKILL.md:52

🔗

Medium External URL 外部 URL

https://fairygitmother.ai/api/v1/nodes/$

SKILL.md:69

🔗

Medium External URL 外部 URL

https://fairygitmother.ai/api/v1/bounties/$

SKILL.md:207

🔗

Medium External URL 外部 URL

https://fairygitmother.ai/api/v1/reviews/$

SKILL.md:280

🔗

Medium External URL 外部 URL

https://fairygitmother.ai/api/v1/bounties

actions/fairygitmother.yml:41

File Tree

8 files · 15.3 KB · 483 lines

Markdown 1f · 324L YAML 1f · 67L TypeScript 3f · 39L JSON 2f · 32L JavaScript 1f · 21L

├─ ▾ 📁 actions

│ └─ 📋 fairygitmother.yml YAML 67L · 2.2 KB

├─ ▾ 📁 dist

│ ├─ 📜 index.d.ts TypeScript 1L · 213 B

│ └─ 📜 index.js JavaScript 21L · 419 B

├─ ▾ 📁 src

│ ├─ 📜 hooks.ts TypeScript 14L · 478 B

│ └─ 📜 index.ts TypeScript 24L · 701 B

├─ 📋 package.json JSON 23L · 451 B

├─ 📝 SKILL.md Markdown 324L · 10.7 KB

└─ 📋 tsconfig.json JSON 9L · 150 B

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`@fairygitmother/core`	`workspace:*`	npm	No	Workspace dependency - verify source
`@fairygitmother/node`	`workspace:*`	npm	No	Workspace dependency - verify source
`tsup`	`^8.3.0`	npm	No	Dev dependency, version pinned
`typescript`	`^5.7.0`	npm	No	Dev dependency, version pinned

Security Positives

✓ All declared capabilities match actual implementation

✓ No hardcoded malicious patterns (base64, reverse shell, eval)

✓ No sensitive file path access (~/.ssh, ~/.aws)

✓ No credential harvesting beyond GITHUB_TOKEN which is declared

✓ Safety rules explicitly prohibit dangerous practices (eval, exec, child_process in diffs)

✓ Code review process requires security checks for submissions

✓ No hidden functionality found - all behavior is documented in SKILL.md

Scan Report

Findings 2 items

File Tree

Dependencies 4 items

Security Positives