Is asteinberger/pm2 safe?

https://github.com/openclaw/skills/tree/main/skills/asteinberger/pm2

92
SAFE

The asteinberger/pm2 skill is a clean, well-structured PM2 process manager reference document containing no prompt injection, no hidden instructions, no executable code, no git hooks, and no submodules. Suspicious canary file accesses visible in the monitoring logs are attributable to the audit harness infrastructure rather than the skill itself, as confirmed by timing analysis (pre-clone access) and the canary integrity monitor (all files intact). The only meaningful risks are inherent to what PM2 does — an agent with this skill has knowledge of commands that could disrupt production processes, and the startup workflow legitimately requires sudo elevation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

INFO Canary file opens are audit harness artifacts -8

Inotify and auditd recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Timing analysis places the first batch 5 seconds before the git clone begins (audit harness initialization) and the second batch during audit teardown. No mechanism exists in SKILL.md to trigger these reads. Canary integrity confirmed intact.

LOW Sudo escalation recommended for pm2 startup -5

The skill legitimately documents that pm2 startup outputs a command that must be run with sudo. An agent following this skill exactly could escalate to root for process manager initialization. This is standard, transparent PM2 documentation behavior — not a hidden injection.

LOW Destructive PM2 commands documented without guardrails -10

Commands like pm2 delete all, pm2 kill, and pm2 unstartup can terminate all managed Node.js processes. The skill does not add any caution notes, which means an agent could execute these destructively in response to an ambiguous user request.

INFO Install connects only to GitHub — expected for monorepo sparse checkout 0

The sole external destination during installation was 140.82.121.3:443 (GitHub). This is the expected behavior of the audit harness sparse-checkout mechanism. No unexpected C2 or exfiltration endpoints were contacted.