Is abrahamventura/roofing-knowledge-mentor safe?

The SKILL.md intent-routing section instructs the agent to load one of six local markdown files (e.g., references/measurement-reasoning.md) based on query classification. The paths are hardcoded relative paths within the skill's own references/ directory. There is no user-controlled path interpolation and no instruction to load files from arbitrary locations. This is standard design for reference-augmented skills but is noted as it expands the agent's filesystem read activity during skill invocation.

The skill includes scripts/quick_validate.py, a self-contained structural validator for checking SKILL.md frontmatter and directory conventions. Static analysis confirms: imports are os, re, sys, pathlib.Path, and typing only; no subprocess, socket, urllib, requests, or similar modules; no exec/eval/compile calls; no file writes; reads only within the skill root. The script was not executed during the audit (no corresponding EXECVE event for python3 against this path).

Installation performed a shallow clone of the openclaw/skills monorepo (depth 1, no-checkout), then used git sparse-checkout to extract only the target skill path before copying to the execution directory and removing the clone. This is a legitimate multi-skill monorepo pattern. The substantial TCP download volume (~several hundred KB) is consistent with fetching a git pack for a large monorepo even with shallow clone flags.

Filesystem open/access events for all six honeypot credential files were observed at two points: timestamp 1771654518 (approximately 6 seconds before the git clone began) and timestamp 1771654540 (after all skill file analysis completed). Both windows align precisely with the audit system's pre-install baseline capture and post-install integrity verification phases respectively. No skill-originated process (no EXECVE for python3, bash, or any skill script) accessed these paths. Canary integrity confirmed intact by the audit platform.