Is 1va7/skill-refiner safe?

https://github.com/openclaw/skills/tree/main/skills/1va7/skill-refiner

90
SAFE

skill-refiner is a legitimate compliance auditing tool for OpenClaw skills that includes benign read-only scripts and transparent instructions. Its primary risk is that it instructs the AI agent to delete files, move directories, and rewrite descriptions across other installed skills in the workspace, which could cause unintended data loss or behavior changes. All destructive operations are agent-mediated rather than automated, providing user oversight through permission prompts.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

MEDIUM Instructs agent to modify other skills' content -8

Step 4 of the workflow instructs the agent to rewrite description fields in other skills' SKILL.md files ('Weak description — Rewrite to include: what the skill does + trigger conditions'). This could alter when and how other skills are triggered, effectively changing agent behavior across the workspace.

MEDIUM Instructs agent to delete files from other skill directories -7

The skill instructs the agent to delete README.md, INSTALLATION_GUIDE.md, CHANGELOG.md, and other files from other skills' directories as part of compliance enforcement. Users may not expect a 'skill refiner' to delete documentation from other installed skills.

LOW Bundled executable scripts invoked by agent -12

The skill includes bash and Python scripts that the SKILL.md instructs the agent to execute directly. While all scripts are read-only and benign upon manual review, bundled executables always carry inherent risk if modified upstream.

LOW Broad workspace directory enumeration -5

find_skills.sh searches the entire OpenClaw workspace tree for SKILL.md files, revealing directory structure and skill names. While limited to SKILL.md discovery, this provides a map of all installed skills.

LOW Instructs agent to move directories across filesystem -5

Step 4 instructs the agent to move skill directories to ~/.openclaw/workspace/skills// if they are found outside the expected location. This filesystem reorganization could break references or workflows.

INFO Destructive operations are agent-mediated, not automated 0

All file deletions, moves, and content modifications are performed by the AI agent following SKILL.md instructions, not by the bundled scripts. This means users with permission prompts enabled will see each action before it executes, providing a safety net.

INFO Clean installation with expected network activity only -3

Installation produced only expected network connections (GitHub for clone, Ubuntu update servers, local DNS). No unexpected processes were spawned. Filesystem changes limited to installation tooling artifacts in /tmp/jiti/.