Is bbintom123321-lab/humanize-zh safe?
https://github.com/openclaw/skills/tree/main/skills/bbintom123321-lab/humanize-zh
The humanize-zh skill is a straightforward Chinese writing-style guide with no executable code, no prompt injection attempts, and no data exfiltration mechanisms. Credential file accesses observed during monitoring are attributable to the audit framework's own canary lifecycle (pre-install timing, sequential inodes, passing integrity check) rather than any malicious skill behavior. The skill installs only two static text files and makes no persistent changes to the host environment.
Category Scores
Findings (3)
LOW Credential files accessed pre-install during monitoring window -12 ▶
Filesystem monitoring recorded OPEN/ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 10:30:49 — approximately 5 seconds before the git clone ran. The access pattern is identical to a second sweep at the end of the monitoring session. The canary integrity check passed, and the inode numbers for these files are sequential (272633–272638), consistent with audit-framework-created synthetic canary files read during setup and teardown. No skill code could have triggered these accesses as the skill was not yet installed.
INFO Skill instructs agent to add personal anecdotes and opinions to text -3 ▶
The skill's transformation guidelines instruct the agent to inject first-person experiences ('I encountered this before...') and subjective opinions ('personally I think...'). This is the skill's stated purpose and does not constitute a security risk, but auditors should note that it influences the agent's output persona in a minor way.
INFO Network connections to Ubuntu infrastructure during install -8 ▶
Connections to 91.189.91.48:443 and 185.125.188.58:443 (Canonical/Ubuntu servers) were observed. These are from the MOTD update mechanism triggered by SSH session establishment, not from the skill or its installation script.