Is ankou11/healthcheck-ready safe?

https://github.com/openclaw/skills/tree/main/skills/ankou11/healthcheck-ready

89
SAFE

The healthcheck-ready skill is functionally benign: its SKILL.md contains no prompt injection, its checks.sh performs standard system health checks (disk, CPU, memory, services) with no sensitive file access or network exfiltration, and its install process touched only expected GitHub infrastructure. The primary concerns are low-severity: the ps aux command exposes the full process table to agent context (a reconnaissance vector if paired with exfiltration), and the skill description misleadingly claims hardening validation that the script does not perform. All canary files remained intact and no suspicious outbound connections were observed during or after install.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

LOW ps aux exposes full process table -10

checks.sh runs 'ps aux --sort=-%cpu | head -6' and outputs process names, users, and command arguments. Process arguments sometimes contain sensitive data (database URIs, API tokens passed as CLI flags). This data is printed to agent context and could be relayed to an attacker if paired with an exfiltration vector.

LOW Misleading skill description overstates security value -18

SKILL.md states the skill 'confirms OpenClaw is up-to-date and hardened' but checks.sh only verifies the openclaw-gateway process is running via pgrep. No version comparison, no hardening baseline check, no configuration audit. A user relying on this for security posture assurance would have false confidence.

LOW Executable shell script bundled — not auto-run but agent-invocable -18

checks.sh is a valid bash script that will be run by the agent when the skill is invoked. While the content is benign, the shell execution context is broader than the skill's stated purpose and could be misused if the agent is prompted to modify and re-execute the script.

INFO Pre-existing Ubuntu infrastructure connections unrelated to skill 0

Connections to 185.125.188.54 and 185.125.188.57 (Canonical/Ubuntu snap/update servers) were established before skill install and are part of the VM's baseline network state, not caused by the skill.

INFO Canary files accessed by audit framework at baseline and post-check -5

Sensitive canary paths (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at two points: during pre-install baseline (audit timestamp 1771907440, process sudo/PID 1094) and post-install integrity check (audit timestamp 1771907457). Both are expected audit framework behavior. All files are confirmed intact.