Is aatmaan1/communication-skill safe?

https://github.com/openclaw/skills/tree/main/skills/aatmaan1/communication-skill

89
SAFE

The aatmaan1/communication-skill is a pure markdown skill providing communication coaching workflows (deep listening, response crafting, psychological awareness) with no executable code, no package scripts, no git hooks, no submodules, and no embedded exfiltration mechanisms. Installation behavior was clean: the only network activity was a standard HTTPS git clone to GitHub via Oathe's own infrastructure, no new persistent connections were established, and all canary honeypot files remained intact. The only notable surface is the skill's language encouraging broad context gathering from 'connected apps' and 'parallel conversations', which is disclosed functionality but expands the data footprint an agent will access when the skill is active.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

LOW Broad context-gathering language in Step 1 -10

SKILL.md instructs the agent to gather context from 'connected sources (when available)' including 'recent messages with this person/group' and 'parallel conversations about the same topic'. While disclosed in the capability description and legitimate for the stated use case, this language encourages the agent to scan beyond the current conversation thread, increasing the data surface accessed during a single skill invocation.

LOW Capability description references 'connected apps' integration -10

The SKILL.md frontmatter describes the skill as able to synthesize context 'across conversations, connected apps, and user notes'. In an agent platform that exposes email, Slack, or calendar integrations, this framing could justify the agent reading broadly from connected data sources. The risk is low as the skill contains no code to force such reads, but it provides rhetorical cover for broad data access.

INFO Canary files read by audit infrastructure only 0

Inotify and auditd logs show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at installation time. Correlation with process timestamps confirms these accesses occurred as part of Oathe's own pre- and post-install canary scanning, not any skill-initiated process. All CLOSE events are CLOSE_NOWRITE, confirming read-only access. Canary integrity check passed.