Is alvinecarn/knowledge-answer safe?

https://github.com/openclaw/skills/tree/main/skills/alvinecarn/knowledge-answer

84
SAFE

knowledge-answer is a minimal citation-formatting skill that instructs agents to add numbered footnote citations to search-based answers. The skill content is entirely benign markdown — no executable code, no data access instructions, no prompt injection attempts. The primary concerns are procedural: unsubstituted template variables, an undeclared dependency on a separately-audited skill, and canary file accesses that the monitoring system itself confirms resulted in no exfiltration and are consistent with audit infrastructure checkpointing behavior.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (6)

LOW Canary Files Accessed During Session -15

Six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed at two points in the audit session. The canary integrity monitor explicitly confirms all files remain intact with no exfiltration. Both access batches show all six files accessed at identical millisecond timestamps, a pattern consistent with the audit infrastructure performing baseline and post-installation integrity checks rather than adversarial enumeration by the skill.

LOW Unsubstituted Template Variables in Skill Body -10

The skill body contains $DATE$ in both the frontmatter description and the Instructions section, and references $SESSION_GROUP_ID$ in the Usage Notes. These variables are not substituted in the installed skill file. The Usage Notes acknowledge this explicitly. If the platform's substitution mechanism can be influenced by an attacker, malicious content could be injected at runtime. In normal operation this is benign — the variables would be filled with current date and session ID.

LOW Undeclared Dependency on academic-research-hub Skill -8

The .clawhub/lock.json file records a dependency on the academic-research-hub skill (version 0.1.0, installed separately). This skill was not installed as part of this audit's scope. The knowledge-answer skill's behavior when used alongside academic-research-hub has not been audited. This is a supply-chain transparency concern — users installing knowledge-answer may not realize it is designed for use with another skill that could have its own security posture.

INFO Citation Format Renders External URLs as Clickable Links -5

The skill instructs the agent to format citations as clickable numbered footnotes in the format [N]. In normal use this is helpful citation behavior. In an adversarial scenario where search results include malicious URLs, the agent would be instructed to render those URLs prominently and clickably in its output. This is an inherent property of citation-formatting instructions and not a flaw specific to this skill.

INFO Clean Sparse-Checkout Installation 0

The installation process used git sparse-checkout to extract only the target skill subdirectory from the monorepo. No unexpected processes were spawned, no persistent system modifications were made, and network activity was limited to GitHub's infrastructure. The temporary clone directory was cleaned up after installation.

INFO No Executable Artifacts Present 0

The skill package contains exactly three files: SKILL.md, _meta.json, and .clawhub/lock.json. No scripts, binaries, git hooks, submodules, symlinks, or install-phase code of any kind were found.