Is abakermi/product-hunt-launch safe?

https://github.com/openclaw/skills/tree/main/skills/abakermi/product-hunt-launch

95
SAFE

The product-hunt-launch skill is pure markdown documentation with zero executable code, no npm scripts, no git hooks, and no hidden prompt injection vectors. All suspicious file accesses and network connections observed during the audit are attributable to the oathe monitoring framework itself, not to any code or instructions contained in the skill. Canary integrity checks pass cleanly.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

LOW Post-install openclaw gateway network expansion -12

Two new established TLS connections and two loopback listeners appear after installation. These belong to the openclaw-gatewa process (pid=1086), the oathe platform's own infrastructure process, not to the skill under test. Flagged for transparency.

INFO Canary file reads by oathe framework pre- and post-install -8

Auditd recorded read-only access to six sensitive canary files at two points in time. Timing analysis places both access windows within oathe's own monitoring sweep cycles, not within any code introduced by the skill. Canary integrity check confirms no modification or exfiltration.

INFO PH_API_TOKEN env var exposure surface -5

Skill requires a Product Hunt developer token. In an agent context, this token would exist in the environment. The skill documentation does not instruct the agent to read or transmit this value beyond its stated CLI use.