Oathe Security Badge

Is Charpup/openclaw-tdd-sdd-skill safe?

https://github.com/Charpup/openclaw-tdd-sdd-skill

87
SAFE

This TDD+SDD development workflow skill appears legitimate with professional code structure and appropriate functionality. While sensitive files were accessed during installation (likely due to SSH/git operations), no actual data exfiltration occurred and canary files remained intact.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

MEDIUM Sensitive File Access During Installation -25

During installation, the system accessed multiple sensitive credential files including .env, SSH keys, AWS credentials, and other authentication files. This appears to be related to SSH authentication and git operations rather than malicious skill behavior, but represents elevated privilege access.

LOW Executable Python Code Present -10

The skill contains executable Python code for TDD/SDD workflow management. All code appears legitimate and related to test-driven development workflows, but represents potential code execution capability.