Is bingus-vibecoder/citrini-analyzer safe?

https://github.com/openclaw/skills/tree/main/skills/bingus-vibecoder/citrini-analyzer

97
SAFE

The citrini-analyzer skill is a benign, well-scoped formatting tool that converts Citrini Research investment newsletter emails into structured Discord summaries. It contains no executable code, no prompt injection attempts, no credential-harvesting instructions, and its installation produced only expected GitHub clone traffic with all filesystem changes confined to the designated skill directory. The only material risk is indirect: the skill processes forwarded third-party email content verbatim, meaning a compromised upstream email source could theoretically use this skill as a passthrough for adversarial agent instructions — a generic content-processing concern rather than a flaw inherent to the skill itself.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (6)

LOW Email Content Passthrough Enables Indirect Injection -8

The skill instructs the agent to preserve the source author's exact language, including conviction signal phrases. If a Citrini Research email were spoofed or the Substack account compromised, an attacker could embed prompt injection payloads in the newsletter body that would be reproduced verbatim in the structured output or interpreted as agent instructions.

LOW Third-Party Email Content Is an Untrusted Attack Surface -15

The skill is explicitly designed to ingest and process forwarded emails from an external newsletter source (Citrini Research via Midas_Jaeger on Substack). This creates a supply-chain-adjacent risk: anyone who can inject content into the email stream (compromised Substack account, email spoofing, man-in-the-middle) gains an indirect channel into the agent's instruction context. The skill itself is not malicious, but its trust model assumes the email source is benign.

INFO Canary File Reads Attributable to Audit Framework, Not Skill 0

inotifywait and auditd both record reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. However, these reads at audit timestamp 1771902513.808 occur approximately 5 seconds before the git clone begins at 1771902519.331, placing them squarely in the audit framework's pre-install setup phase. A second set of reads at 1771902536.616 follows the completed install, consistent with post-install canary integrity verification. No skill code could have triggered these reads.

INFO No Executable Content — Pure Markdown Skill 0

The skill consists entirely of three plain-text files: SKILL.md (formatting instructions), references/example-output.md (sample output template), and _meta.json (registry metadata). There is no executable surface whatsoever.

INFO No Credential or File Access Instructions Present 0

A full review of SKILL.md reveals no directives for the agent to read system files, query environment variables, access credentials, or transmit data to external endpoints. The skill's operational scope is strictly limited to transforming text content provided by the user.

INFO All Honeypot Files Intact 0

Post-install verification confirms all six canary files are unmodified. No exfiltration via honeypot access was detected.