Is alexander-morris/muse safe?

https://github.com/openclaw/skills/tree/main/skills/alexander-morris/muse

72
CAUTION

The muse skill is a wrapper around the third-party 'tribe' CLI (@_xtribe/cli) that by design collects and transmits coding session data, project context, and knowledge base content to external servers. While no malicious prompt injection, canary access, or suspicious clone behavior was detected, the skill creates significant data exfiltration surface through its core functionality and installs an opaque npm binary whose internal behavior cannot be audited. The autonomous agent spawning features (MUSE/CIRCUIT) further amplify risk by enabling unattended execution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH Third-party data transmission by design -35

The tribe CLI's core functionality involves transmitting coding session data, search queries, knowledge base content, and project context to external servers operated by the skill author. Commands like 'tribe search', 'tribe sessions', 'tribe kb save/sync', and 'tribe -force -all' all send potentially sensitive data (code, commands, file contents) to infrastructure the user does not control.

HIGH Autonomous agent spawning without per-action consent -20

The MUSE and CIRCUIT features allow spawning autonomous sub-agents (tribe muse spawn, tribe circuit spawn) and running them on recurring intervals (tribe circuit auto --interval 30). These agents execute independently, potentially performing actions the user has not explicitly approved.

MEDIUM Opaque npm package installation with post-install hook -25

The skill requires installing @_xtribe/cli via npm, which can execute arbitrary install scripts (preinstall, postinstall). The metadata also specifies a postInstall command 'tribe login' that runs automatically. The npm package contents are not auditable from the skill files alone.

MEDIUM Telemetry collection of coding activity -20

The skill provides 'tribe enable' to activate telemetry collection of coding sessions. The scope and granularity of data collected is not disclosed in the SKILL.md. Once enabled, coding activity may be continuously monitored and transmitted.

MEDIUM Opaque closed-source CLI binary -30

The tribe CLI is a closed-source binary installed from npm. Its internal behavior, data handling practices, network destinations, and local file access patterns cannot be verified from the skill definition alone. Users must trust the binary completely.

LOW External URL reference for deployment -5

The skill references tribeclaw.com as a deployment target. While this is presented as a feature and does not instruct the agent to fetch content from it, it directs users to an external service.

INFO Clean installation with expected network activity 0

The npm install completed with network connections only to expected infrastructure: GitHub for git clone, Cloudflare/AWS for npm registry. No suspicious outbound connections or firewall blocks were observed.

INFO All honeypot files unmodified 0

No canary files (.env, SSH keys, AWS credentials, .npmrc, Docker config, gcloud credentials) were accessed or modified during installation.