Is arisylafeta/clawlist safe?

https://github.com/openclaw/skills/tree/main/skills/arisylafeta/clawlist

92
SAFE

Clawlist is a pure-Markdown task management meta-skill with no executable code, no data exfiltration vectors, and clean clone behavior. The only notable concerns are its assertive behavioral control patterns (mandatory skill invocation, infinite task loops with heartbeat monitoring) and its role as an orchestration layer that could amplify risks from other skills in the chain. All monitoring signals — network, filesystem, process execution, and canary integrity — are clean.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 98/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

LOW Assertive behavioral control via Red Flags table -10

The doing-tasks sub-skill contains a 'Red Flags' table that systematically counters every reason an agent might have for not invoking a skill. Phrases like 'Questions are tasks. Check for skills.' and 'Skills tell you HOW to explore. Check first.' are designed to override the agent's autonomous reasoning. While this follows the established skill ecosystem pattern, it represents mild behavioral manipulation.

LOW Infinite task loops encourage persistent agent control -8

The skill promotes 'Infinite' task types that run 'Forever' with scheduled intervals (e.g., every 30 minutes). Combined with heartbeat integration that reads ongoing-tasks.md on every check to 'Execute due infinite tasks', this creates a persistent control loop where the agent continuously acts without explicit user approval for each iteration.

INFO Meta-skill could amplify malicious sub-skills -5

Clawlist is an orchestration meta-skill that chains brainstorming → write-plan → doing-tasks → verify-task, and can dispatch multiple subagents in parallel. While entirely legitimate for task management, this architecture means a single malicious skill in the chain would be invoked systematically and potentially across multiple parallel agents.

INFO Cross-session persistence via memory files -3

The skill writes completion reports to memory/plans/ and maintains ongoing task state in memory/tasks/ongoing-tasks.md. This persistence is standard for task management but establishes state that survives across sessions and could influence future agent behavior.

INFO Lock file references external skill dependency -2

The .clawhub/lock.json references an installed dependency 'academic-research-hub' at version 0.1.0. This dependency was not included in the audit scope and could introduce additional risk vectors not captured here.