Is auralithinc/aura-openclaw safe?

compile.py, memory.py, and query.py are thin wrappers that import from auralith-aura. All actual file reading, parsing, embedding, and storage logic lives inside this third-party package which is not included in the repository and not audited here. Any telemetry, credential harvesting, or exfiltration logic inside auralith-aura would be completely invisible from inspecting the skill files alone. The package is also not version-pinned, meaning a malicious update to PyPI would propagate automatically.

SKILL.md states 'No data leaves your machine' and the External Endpoints table lists 'None / None', yet the Notes section explicitly references the OMNI Platform for 'emphasis weighting and training features' applied to agent memory data. Training features in the context of a persistent memory and knowledge-base skill strongly implies that indexed content or memory entries are candidates for model training — which requires transmission to an external service. This contradiction is unresolved and represents a significant trust gap.

SKILL.md instructs the hosting agent that the skill 'is autonomously invoked by the agent as part of its normal operation' and that 'The agent decides when to compile documents and manage memory based on user requests.' This is a behavioral directive embedded in the skill definition that expands the invocation surface far beyond explicit user commands — any conversational mention of a directory or file could trigger silent indexing.

The /fact tier is described as 'Persistent — survives indefinitely.' The provided example shows the agent autonomously storing production database regions, API key rotation schedules, and user preferences after a single session. Any sensitive information mentioned in chat — credentials, internal hostnames, system architecture details — will be retained at ~/.aura/memory/ and injected into every future agent session with no automatic expiry or scope control.

The setup instructions require pip install auralith-aura with no pinned version. Once installed, the package is invoked with arbitrary user-supplied directory paths. A compromised or malicious update to auralith-aura on PyPI would be silently picked up on the next install and would immediately gain read access to any path the agent passes to compile.py.

Filesystem monitoring recorded OPEN/ACCESS syscalls on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json at two timestamps: before the git clone (audit 1771652261) and after skill installation (audit 1771652289). The canary integrity check reports files intact, and no skill-side code contains logic to read these paths. Analysis attributes these reads to the Oathe monitoring framework's baseline and post-install verification passes. However, the post-install read batch at 1771652289.624 warrants independent verification.

SKILL.md maps the common English verbs 'learn', 'compile', 'index', and 'remember' to directory-scanning shell commands. An agent following these instructions may invoke compile.py whenever a user uses any of these words in context, even when the user's intent is unrelated to file indexing.

A single outbound HTTPS connection to 140.82.121.3:443 (github.com) was observed, fully explained by the git clone of the openclaw/skills monorepo. No other external connections were made. Post-install network state was identical to pre-install state.