Is anova44/training-manager safe?

The skill's primary function is writing content to workspace files (SOUL.md, AGENTS.md, TOOLS.md, IDENTITY.md, USER.md, MEMORY.md) that are injected into the agent's system prompt on every session. The skill explicitly states: 'Content written by this skill lands in workspace files that become part of the agent's system prompt.' Any content that successfully passes the injection filters becomes a permanent behavioral modification. This is a fundamental architectural risk: the attack surface is not a one-time execution but a persistent write channel to the agent's core behavioral context.

Multiple scripts accept user-provided content strings and execute them in shell contexts after applying a regex-based injection filter. The filter blocks backticks () and command substitution $()` patterns and a set of natural-language injection phrases. However, the filter does not screen for printf format string vulnerabilities, awk control characters in the consolidate path, or encoding schemes beyond base64. A carefully crafted input could potentially bypass these filters.

The Content Security section instructs the agent LLM to screen content before calling scripts, but this is a behavioral instruction to the LLM, not a technical enforcement. A jailbroken or manipulated agent could skip this check. The script-level filters are a second layer but also bypassable (see code_execution finding). The 'translate, don't transcribe' principle is documented but not mechanically enforced — it relies entirely on the agent following instructions.

generate-skill.sh builds metadata JSON by directly concatenating values into a JSON string: 'BINS_JSON=$(printf '%s' "$REQUIRES_BINS" | sed 's/,/","/g')'. The script itself acknowledges: 'NOTE: JSON is constructed via string concatenation. This works for simple comma-separated values but will break if bin/env names contain quotes, spaces, or special characters.' Input validation blocks the most dangerous characters, but this is a fragile construction that could malform generated SKILL.md files.

Unlike a skill that executes a one-time command, workspace files are loaded into every agent session. A single successful injection through this skill's write pipeline (via filter bypass, user social engineering, or LLM manipulation) results in indefinite persistence of the injected behavioral rule. The consolidate workflow additionally moves training updates from append-only sections into main document body, which could elevate injected content to a more authoritative position in the agent's context.

export.sh creates timestamped tarballs at ~/.openclaw/backups/ containing all workspace files. These files may contain sensitive operator-provided information (identities, projects, preferences, corrections). While the backup is local-only, it concentrates this data into a single archive. If another skill, process, or vulnerability can read or exfiltrate this archive, it provides a high-value data collection target.

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed at timestamps 1771923351.609 (session start) and 1771923368.283 (post-install) with identical file sets both times. This pattern is consistent with the audit harness performing start-of-session and end-of-session canary checks rather than skill-driven access. A single .env access at 1771923362.042 during git operations is attributed to a background system process. All canary files confirmed intact.

The only external network connection initiated during install was to 140.82.114.4:443 (github.com) for the git sparse-checkout clone of the skills repository. Pre-existing connections to 185.125.188./185.125.190. (Canonical/Ubuntu infrastructure) were present before and after the install. Connection diff shows no new persistent connections were established by the skill installation.