Is linux-service-triage safe?

https://clawhub.ai/KOwl64/linux-service-triage

89
SAFE

This is a well-structured, benign Linux service diagnostic skill with appropriate safety guardrails including read-only defaults, user confirmation gates, and explicit disclaimers against exploitation. It contains no executable code, no hidden instructions, no exfiltration vectors, and clean install behavior. The primary risk is inherent to its domain: it normalizes broad system command execution that could be leveraged in combination with a malicious skill.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (4)

LOW Broad shell command execution scope -10

The skill guides the agent to execute system administration commands including systemctl, journalctl, chown, chmod, nginx reload, dig, and ss. While gated behind user approval in the workflow, the breadth of commands normalized by this skill is wider than minimal. An agent primed by this skill may be more willing to execute system commands in adjacent contexts.

LOW Log file access could expose secrets -8

The skill instructs reading application logs (journalctl, pm2 logs, nginx logs) which may incidentally contain secrets, API keys, or PII that was logged by the application. This is inherent to the diagnostic purpose but worth noting.

INFO Platform reads .env and .aws/credentials during bootstrap -15

Filesystem monitoring shows reads of .env and .aws/credentials at 05:30:53-54, but these are attributable to the openclaw platform initialization sequence (gateway lock creation, auth-profiles loading), not to the skill itself. The temporal correlation with openclaw.json and auth-profiles.json reads confirms this is platform behavior.

MEDIUM Elevated privilege context amplifies future risk -28

This skill will typically be used on servers where the agent has elevated access. The diagnostic commands it normalizes (systemctl, chown, nginx reload) establish a pattern where the agent routinely executes privileged operations. If a malicious skill were later installed alongside this one, the established permission patterns could be exploited.