Is 1kalin/afrexai-rag-engineering safe?

https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-rag-engineering

97
SAFE

This skill is a pure methodology reference document for building RAG (Retrieval-Augmented Generation) systems. It contains no executable code, no external dependencies, no data access instructions, and no prompt injection attempts. All monitoring — network, filesystem, process execution, and canary files — shows clean behavior with only expected system activity during installation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 92/100 · 5%

Findings (3)

LOW Standard persona instruction -5

SKILL.md begins with 'You are an expert RAG engineer' which sets the agent's persona. This is standard practice for skills and does not attempt to override system instructions, suppress output, or manipulate the agent beyond its intended domain.

INFO Large context footprint -5

At approximately 37KB, this skill consumes a significant portion of the agent's context window. While not a security concern, it may reduce the agent's capacity for other tasks when active.

INFO Marketing content in README -3

README.md contains upsell links to paid 'context packs' ($47 each) and cross-promotion to other AfrexAI skills. These links are in the README only and are NOT injected into the agent's system prompt via SKILL.md.