Is authoredniko/clawcoach-setup safe?

https://github.com/openclaw/skills/tree/main/skills/authoredniko/clawcoach-setup

90
SAFE

ClawCoach Setup is a prompt-only skill (SKILL.md + metadata, no executable code) with a clean prompt injection profile and no network exfiltration instructions. Its primary risk is the collection and plaintext local storage of a rich health PII profile (biometrics, dietary restrictions, allergies) that persists as a readable data store for any subsequently installed skill, particularly the unaudited clawcoach-core dependency to which control is unconditionally transferred. All canary file accesses observed in monitoring are attributable to the oathe audit harness, not the skill.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Health PII Written to Plaintext Local File -18

The setup flow collects a full biometric and behavioral profile — name, age, gender, height, weight, goal weight, activity level, dietary restrictions, and food allergies — and writes it unencrypted to ~/.clawcoach/profile.json. This file is readable by any agent skill, subprocess, or process running under the same user account. The risk from this skill alone is limited since no exfiltration instructions are present, but the data store it creates is a high-value target.

MEDIUM Unconditional Handoff to Unaudited Skill (clawcoach-core) -12

The final step instructs the agent to permanently hand off all future interactions to 'clawcoach-core'. This creates a mandatory dependency on a second skill that is not part of this audit. A malicious or compromised clawcoach-core could read the stored health profile and exfiltrate it, or override system instructions after setup has lowered the user's guard.

LOW Savage Roaster Persona Normalizes Agent Use of Personal Health Data for Mockery -10

The 'Savage Roaster' persona is described as using real user data (step counts, food orders, wearable device activity) to make pointed, public-facing commentary. While framed as consensual and humorous, this persona pattern trains users to accept an agent that actively monitors, stores, and weaponizes personal behavioral data. In combination with an unreviewed clawcoach-core, this could be used to psychologically pressure users.

LOW Health Profile Becomes Persistent Exfiltration Target for Co-installed Skills -18

Once written, ~/.clawcoach/profile.json persists indefinitely and can be read by any subsequently installed skill. The skill does not scope access to this file or protect it. A malicious skill installed after clawcoach-setup (including clawcoach-core itself) can silently read full health and dietary PII without triggering any additional user consent.

INFO No Executable Code Present — Skill is SKILL.md Only 0

The skill repository contains exactly two files: SKILL.md and _meta.json. There are no scripts, executables, package manifests, git hooks, submodules, or symlinks. This eliminates the entire class of supply-chain execution risks.

INFO Canary File Accesses Attributed to Oathe Monitoring Infrastructure 0

Honeypot file reads for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials appear in both inotify and auditd logs. Cross-referencing timestamps shows the first batch (audit events 254-259, timestamp 1771936883) preceded the git clone (event 494, timestamp 1771936889) and are attributable to the oathe harness establishing baseline state. The second batch (events 1405-1410, timestamp 1771936901) followed skill analysis scripts and represent the oathe post-install integrity check. All files confirmed intact.