Is bjesuiter/nb safe?

https://github.com/openclaw/skills/tree/main/skills/bjesuiter/nb

93
SAFE

The bjesuiter/nb skill is a documentation-only SKILL.md describing the nb CLI note-taking tool. It contains no executable code, no prompt injection attempts, no data exfiltration mechanisms, and caused no unexpected network or filesystem activity during installation. The only findings are a minor internal inconsistency in the documentation (warning against bypassing the CLI while also showing how to do so) and the inherent fact that nb's sync feature can push notes to external git remotes, which is standard nb behavior users should understand.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Internal documentation inconsistency -10

The skill opens with a bold warning: 'Never edit files in nb git repos (~/.nb/*) by hand!' but then includes a 'Common Patterns' section that documents doing exactly that — copying files directly into ~/.nb/ and running raw git commands. This contradicts the stated safe-use guidance and could confuse an agent into bypassing the nb CLI, potentially corrupting the index.

LOW nb sync can push note content to external git remotes -8

The skill documents and encourages use of 'nb sync' to push/pull from remote repositories. If nb is configured with a remote, note content will leave the local machine. This is legitimate nb behavior, but an agent using this skill could inadvertently sync sensitive information the user has stored as notes to an external git host.

INFO Expected GitHub traffic only during install 0

The git clone of the openclaw/skills monorepo to 140.82.121.4:443 is the expected skill installation mechanism. No additional or unexpected outbound connections were observed.

INFO Canary file accesses attributable to monitoring infrastructure 0

Filesystem events show access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at both 04:30:01 (before skill clone) and 04:30:18 (post-install analysis phase). Both access windows align with oathe monitoring lifecycle (canary plant and final sweep), not skill execution. The skill contains no executable code capable of triggering these reads.