Is simmer safe?

https://clawhub.ai/adlai88/simmer

82
SAFE

The 'simmer' skill is essentially empty — it contains no executable code, no prompt injection content, and no source files beyond a .clawhub/lock.json metadata file. While currently harmless, the mismatch between the skill name and its internal dependency reference ('academic-research-hub'), combined with the complete lack of functional content, suggests this may be a placeholder or name-squatted package. No malicious behavior was observed during clone or installation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (4)

LOW Empty skill with mismatched dependency name -5

The skill 'simmer' contains no functional content (empty SKILL.md, no source code) but has a .clawhub/lock.json referencing a dependency called 'academic-research-hub' v0.1.0. The mismatch between the skill slug and its dependency name is unusual and could indicate name squatting or a placeholder repository.

LOW Minimal content makes full audit impossible -15

With only a lock.json file and empty SKILL.md, there is insufficient content to fully assess data exfiltration risk. If the skill relies on dynamic content loading via the lock.json dependency mechanism, malicious payloads could be introduced after installation without being captured by this audit.

INFO SSH and system file access during audit window -5

Filesystem monitoring captured reads of SSH host keys, /etc/shadow, /etc/passwd, and PAM configuration files. These are consistent with normal sshd daemon activity on the ephemeral VM and are not attributed to the skill itself.

LOW Empty SKILL.md provides no agent instructions -10

The SKILL.md file is completely empty, meaning this skill would inject no instructions into an agent's system prompt. While this means zero prompt injection risk, it also means the skill provides no declared functionality, which is atypical.