Is ajtgjmdjp/estat-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/ajtgjmdjp/estat-mcp

94
SAFE

estat-mcp is a minimal documentation-only skill containing SKILL.md and _meta.json with no executable code, no install scripts, no git hooks, and no submodules. Sensitive file accesses observed in monitoring are consistent with the audit framework's own canary lifecycle (pre-install baseline and post-install integrity check), not with any skill-originated activity. All canary files passed integrity checks, outbound network traffic was limited to GitHub for the clone, and the skill's described functionality — querying Japan's official e-Stat open-data API — is low-risk and read-only.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 89/100 · 5%

Findings (4)

INFO Sensitive file reads attributed to audit framework canary lifecycle -12

Filesystem monitoring records two access events against .env, SSH private key, AWS credentials, npmrc, Docker config, and GCP credentials. The first cluster (epoch 1771738892) precedes the git clone and corresponds to the sudo/auditctl setup phase visible in the EXECVE log. The second cluster (epoch 1771738911) follows install completion and matches the timing of the audit system's post-install canary integrity sweep. The skill has no executable code that could initiate file reads; the only install artifact is a cp of two markdown/JSON files.

INFO User-facing install commands documented but not auto-executed -5

SKILL.md instructs users to run 'pip install estat-mcp' or 'uv tool install estat-mcp' and requires the ESTAT_APP_ID environment variable. These are documented manual setup steps. The metadata install block uses the 'uv' kind, which triggers user-facing installation only when the user explicitly installs the skill — no code ran automatically during this audit's clone phase.

INFO GitHub connection only — expected for skills monorepo sparse checkout -4

Network traffic consisted exclusively of a TLS connection to 140.82.121.4:443 (github.com) for the shallow sparse checkout. No connections to third-party data collection endpoints, unexpected CDNs, or attacker-controlled infrastructure.

INFO External URL reference in SKILL.md is legitimate official documentation -3

SKILL.md contains one external URL pointing to the official e-Stat API registration page (e-stat.go.jp). This is a benign documentation link for obtaining a free API key and does not instruct the agent to fetch it autonomously.