Is aly-joseph/jarvis-skills safe?

https://github.com/openclaw/skills/tree/main/skills/aly-joseph/jarvis-skills

83
SAFE

The aly-joseph/jarvis-skills package is a documentation-only skill with no executable code, no prompt injection, and clean install behavior (only connecting to GitHub for the git clone). The primary concerns are non-adversarial: the required implementation file (openclaw_control.py) is absent making the skill non-functional, the unverified 'openclaw' pip dependency introduces a supply chain risk if auto-installed, and the declared capability to control industrial robots with dangerous physical parameters (500kg, 7m/s) demands careful deployment review. No canary files were compromised and no malicious instructions were found in SKILL.md.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH Required Implementation File Missing -20

skill.json declares requiredFiles: ['openclaw_control.py'], but this file is absent from the installed package. The skill cannot perform any of its stated functions. An agent injected with this skill will believe it has robotic control capabilities it cannot exercise, and may attempt to autonomously obtain the missing file from an external or untrusted source.

HIGH Physical Safety Risk — Industrial-Scale Robotics -25

The skill describes control of industrial robots from major manufacturers (UR, ABB, KUKA, Stäubli) with parameters that are physically dangerous: 3–500 kg payload capacity, 1–7000 mm/s speed. If an agent misinterprets user intent and issues a physical move or grab command, it could cause injury or property damage. This risk is compounded by the missing implementation file, which creates an unpredictable failure mode.

MEDIUM Unverified External Package Dependency -15

The skill lists 'openclaw' as a Python dependency. This is not a well-known or verified PyPI package. If an agent or installer runs 'pip install openclaw', it executes code from an unverified third-party source. The skill's homepage points to a personal GitHub project with no evidence of security review.

MEDIUM Undeclared Hardware Egress Channels -12

The skill communicates via USB Serial, Ethernet, and ROS — hardware channels that bypass standard network monitoring. An adversarially crafted implementation could use these channels to exfiltrate data outside the network boundary. While the SKILL.md itself does not direct such behavior, the declared communication surface is broader than necessary.

LOW Jarvis Persona Naming Overlap -8

The skill uses 'Jarvis' as its voice command activation prefix, which is the same name used by popular AI assistant paradigms. In a multi-skill agent environment, this could cause command routing ambiguity or allow an attacker to craft user input that invokes robot commands by addressing 'Jarvis' in a way that appears to be ordinary AI assistant interaction.

LOW Hobbyist Origin Without Safety Certification -10

The skill is sourced from a personal hobbyist project (J.A.R.V.I.S.) and published under a personal GitHub account. There is no evidence of industrial safety review, hazard analysis, or compliance with robotic safety standards (ISO 10218, TS 15066, etc.). Deploying this skill in any environment with physical robots constitutes an unreviewed safety risk.

INFO Credential Files Accessed Read-Only by Audit Infrastructure 0

Honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened and accessed with CLOSE_NOWRITE flag at audit initialization and completion. Timing and access pattern are consistent with the audit system's own canary setup and integrity verification cycles, not with skill activity.