Is abakermi/openclaw-postsyncer safe?

https://github.com/openclaw/skills/tree/main/skills/abakermi/openclaw-postsyncer

95
SAFE

The abakermi/openclaw-postsyncer skill is a minimal, static SKILL.md with no executable code, no prompt injection patterns, and no git-level attack surface. Canary file reads observed during the audit are read-only and timed to pre-clone and post-install phases that are consistent with Oathe's own audit harness activity rather than the skill; the honeypot integrity system confirmed all canary files intact with no exfiltration. The only residual risk is inherent to social media automation skills: an agent could publish content without per-post confirmation if not configured to require explicit user approval.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 91/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Canary credential files accessed read-only during audit -9

Six sensitive canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened read-only at two points during the audit window. The first access set (timestamp 1771735531.205) predates the git clone by approximately 5 seconds, confirming the skill could not have initiated it. The second set (1771735548.150) occurs after install but the skill contains zero executable code. Both access sets are consistent with the Oathe audit harness capturing baseline state and performing post-install canary verification. No file content was exfiltrated; the honeypot integrity check confirmed all files intact.

LOW Skill enables autonomous social media publishing without per-post confirmation -12

The 'create-post' command allows an agent to publish content to the user's social media accounts. If the agent interprets user intent broadly (e.g., 'schedule my posts'), it could publish or schedule content without explicit per-post user approval. This is an inherent property of any social media automation skill and not evidence of malicious design, but users should confirm the agent requires explicit confirmation before each publish action.

INFO External URL reference in setup documentation -3

SKILL.md references https://app.postsyncer.com/settings as the location to obtain an API key. This is a legitimate, operator-visible documentation link and not a fetch instruction to the agent. No agent is instructed to visit the URL autonomously.

INFO Pre-clone network connection to Ubuntu/Canonical servers -4

A TLS connection to 91.189.91.48:443 (Ubuntu/Canonical) was established before the git clone. This is attributable to the Ubuntu MOTD-news service running on the audit VM at SSH login, not to the skill or its installation.

INFO No executable content — static markdown skill only 0

The skill consists exclusively of SKILL.md and _meta.json. No package.json scripts, no shell scripts, no git hooks, no submodules, no symlinks. There is nothing in this skill that can execute at install time or runtime.