Is askginadotai/workflows safe?

https://github.com/openclaw/skills/tree/main/skills/askginadotai/workflows

90
SAFE

The askginadotai/workflows skill is a documentation-only workflow authoring guide for the Ask Gina sandbox platform. No executable code, git hooks, install scripts, or prompt injection patterns were found in the skill package, and canary file integrity was confirmed intact. The credential file reads observed in monitoring logs predate the skill clone and are attributable to the oathe canary baseline system, not the skill. The primary residual risk is that the skill documents powerful workflow primitives (exec, bash steps, filesystem access) and enables financial trading automation via Polymarket integration, which could amplify harm if an agent were directed to create malicious workflows using this guidance.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 86/100 · 25%
Code Execution 89/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

LOW Credential file reads during monitoring window -7

Inotify and auditd logs record read-only opens of six credential files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at two points flanking the install. Timeline analysis places both access batches outside the skill-execution window (before clone start at 1771919830 and after file enumeration at 1771919848). CLOSE_NOWRITE flags confirm read-only access. Canary integrity check confirms no content change. Attribution: oathe monitoring system canary baseline, not skill code.

LOW Skill documents powerful exec/bash/filesystem step primitives -11

The cli-and-definition.md reference explicitly documents exec(command), type:bash steps, and fs.promises.* as available Gina runtime APIs. An agent trained on this skill will know how to author workflows with arbitrary command execution and filesystem access. The skill does not instruct misuse, but lowers the knowledge barrier for creating high-privilege workflows.

LOW Financial trading automation with live side effects -28

The polymarket-patterns.md reference provides complete patterns for automated prediction market scanning and trading. SKILL.md explicitly lists 'trading actions' under side effects requiring declaration. Workflows authored using this skill can place real financial trades on Polymarket. Risk is proportional to the permissions the agent holds.

INFO No prompt injection patterns detected 0

SKILL.md contains no instruction-override directives, hidden unicode, persona-change instructions, external URL fetches, or requests for permissions beyond the stated scope. The security section promotes defensive patterns.

INFO Clean install with expected network traffic only 0

Git sparse checkout of skills/askginadotai/workflows from github.com produced only expected TCP traffic to GitHub's IP (140.82.121.3:443). No unexpected outbound connections, no backdoor listeners, no persistent connections established post-install.

INFO All honeypot files unmodified 0

Post-install canary check confirms all six honeypot credential files retain original content. No exfiltration via file modification or external POST detected.