Is agent-factory safe?

https://clawhub.ai/TevfikGulep/agent-factory

72
CAUTION

The 'agent-factory' skill failed to install due to rate limiting, leaving only a .clawhub/lock.json file and an empty SKILL.md. No malicious code, prompt injection, or data exfiltration was detected in the available artifact, but the incomplete install means the full repository contents could not be audited. The lock file references a different skill name ('academic-research-hub'), adding to the opacity of this skill's true purpose.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (6)

MEDIUM Install failed — incomplete audit artifact -20

The skill installation failed with 'Rate limit exceeded', meaning the full repository contents were never fetched. The audit is based on an incomplete snapshot. The only file present is .clawhub/lock.json, and SKILL.md is empty. This means we cannot verify whether the full repository contains malicious content.

MEDIUM Empty SKILL.md — unverifiable intent -15

SKILL.md is completely empty. While this means no prompt injection is present in the current snapshot, it also means the skill declares no purpose, scope, or permissions. Combined with the failed install, this could mean the actual SKILL.md was never downloaded, and the real content remains unknown.

LOW Lock file references different skill name -10

The .clawhub/lock.json references 'academic-research-hub' v0.1.0, but the repository is named 'agent-factory'. This name mismatch suggests the repository may have been renamed, repurposed, or the lock file is a leftover from a different skill configuration.

INFO Standard infrastructure network activity only -5

All observed network connections during the clone phase are attributable to standard infrastructure: clawhub API (216.150.1.1:443), AWS/npm registry (3.209.150.151:443), DNS resolution, mDNS, NTP, and CUPS (port 631). No unexpected or suspicious outbound connections were detected.

INFO Canary files untouched 0

All honeypot files (.env, SSH keys, AWS credentials, .npmrc, Docker config, GCloud credentials) remained intact with matching hashes before and after the install attempt.

MEDIUM No skill definition prevents scope assessment -15

Without any SKILL.md content or source code, it is impossible to determine what permissions this skill would request, what tools it would use, or what instructions it would inject into the agent's system prompt. This opacity is a risk factor — a future update could introduce malicious content.