Is alexsjones/llmfit safe?

https://github.com/openclaw/skills/tree/main/skills/alexsjones/llmfit

90
SAFE

The llmfit-advisor skill is a hardware-aware LLM model recommendation tool with a clean SKILL.md: no prompt injection, no hidden instructions, no data exfiltration mechanisms, and no executable code. Dynamic monitoring found no malicious behavior during installation — network activity was strictly limited to a GitHub sparse-checkout clone, no new listening ports were opened, and all canary honeypot files passed integrity checks with reads attributable to the audit framework itself. The sole meaningful risk is the required third-party llmfit binary (AlexsJones/llmfit), which runs locally and collects detailed hardware telemetry; this binary is outside the current audit scope and represents a standard supply-chain trust assumption for any CLI-dependent skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW External third-party binary installation required (llmfit) -18

The skill requires installing the llmfit binary from AlexsJones/llmfit via Homebrew tap or Cargo. This binary runs on the user's machine with user-level permissions and collects detailed hardware information. The binary itself is not included in the skill repository and cannot be audited within this scan. A compromised or future-updated version of this binary could exfiltrate hardware telemetry or execute arbitrary code during llmfit invocations.

LOW Canary files read during audit session — attributed to audit framework -12

Six sensitive honeypot files were opened and read at two points during the audit session. Timestamp correlation shows the first batch (1771652496.531) occurred approximately 5.5 seconds before the git clone command, aligning with the audit framework's pre-install baseline. The second batch (1771652518.089) occurred after installation completed, consistent with post-install audit scanning. All canary file integrity checks passed. No evidence the skill or the install process caused these reads.

INFO Hardware fingerprinting by llmfit creates a persistent local profile -15

The llmfit binary builds a detailed hardware fingerprint including CPU model and core count, total and available RAM, GPU vendor and model, VRAM size, GPU count, compute backend (Metal/CUDA/ROCm), and unified memory flag. While this data is used locally for model recommendation and no exfiltration is observed, users should be aware this profile could identify their machine. Future versions of the binary fall outside the current skill audit scope.

INFO Metadata kind field mislabeled for cargo install option 0

The second install option describes a cargo-based installation but uses kind:'node' rather than kind:'cargo'. This is a benign copy-paste error indicating limited quality control in the skill metadata, not deceptive or malicious behavior.