Is benmjohnson69/benos-bootstrap safe?

https://github.com/openclaw/skills/tree/main/skills/benmjohnson69/benos-bootstrap

84
SAFE

benos-bootstrap is a functionally trivial skill — its code unconditionally returns a static health-check object and makes no network calls, reads no files, and runs no install scripts. The installation was clean with no unexpected network egress, no canary file tampering, and no persistent connection changes. However, the skill carries notable behavioral red flags: the package.json explicitly describes it as a 'BenOS identity alignment' bootstrap, and the SKILL.md frames it as an 'executive runtime overlay' that controls downstream skill execution — specific language that warrants scrutiny in LLM agent security contexts.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

MEDIUM 'BenOS Identity Alignment' — Suspicious Agent Identity Framing -25

The package.json description explicitly states 'Bootstrap layer for BenOS identity alignment.' In the context of LLM agent systems, 'identity alignment' is a specific term referring to shaping or constraining an agent's sense of self and behavioral disposition. While this string appears in package metadata rather than the injected SKILL.md text, it signals authorial intent to influence agent identity framing. The skill constructs an entire fictional operating system persona ('BenOS') and asks the agent to treat it as a foundational runtime environment.

LOW 'Executive Runtime Overlay' Authority Framing in SKILL.md -10

SKILL.md describes BenOS as a 'deterministic, structured executive runtime overlay' that ensures 'downstream skills' cannot execute in an 'inconsistent environment.' This framing positions the skill as having executive authority over other skills' execution — establishing a hierarchical control claim within the agent's injected context that could prime the agent to treat BenOS instructions as authoritative.

LOW Bootstrap Prerequisite Positioning for Persistent Context -10

The skill explicitly declares itself a required prerequisite that 'is meant to run prior to advanced orchestration or automation layers.' This pattern — establishing a lightweight, apparently benign bootstrap skill that runs before other components — is a known technique for anchoring a persistent behavioral context or persona into an agent's system prompt before more observable capabilities load.

LOW Developer Environment Lock File Included in Published Skill -12

The published skill bundle contains .clawhub/lock.json, a file that tracks the author's local skill installation state. This reveals the author has 'academic-research-hub' v0.1.0 installed and discloses the install timestamp (1770957475341). Including development environment state in a published skill is anomalous — it could indicate OPSEC carelessness, or in a more concerning interpretation, intentional metadata embedding to signal a companion skill to consumers.

LOW Claimed Functionality Not Implemented in Code -8

SKILL.md claims the skill 'Verifies workspace structure and sandbox integrity,' 'Confirms agent runtime configuration is valid,' 'Checks required environment variables,' and 'Validates Node runtime compatibility.' The actual index.js implementation does none of this — it unconditionally returns {ok: true, message: 'BenOS bootstrap active.'}. This misrepresentation of capabilities could be a placeholder for future malicious functionality, or an attempt to prime the agent to believe validation has occurred when it has not.

INFO Very New Skill with No Version History -5

The skill was published approximately 11 days before this audit and has an empty version history array. A skill claiming to be enterprise-grade infrastructure-level foundational tooling would normally have some revision history.

INFO Canary File Reads Attributed to Audit Harness (Not Skill) -3

All six honeypot credential files were opened and read at two timestamps: at audit start (1771733671.608, harness canary setup) and after skill scan completion (1771733687.481, harness integrity verification). The CLOSE_NOWRITE inotify pattern on all files confirms no modification. Timeline analysis places both access batches within audit harness operation phases, not within skill code execution window. No exfiltration via canary files is indicated.