Is bodis/tenzing-moltbook safe?

https://github.com/openclaw/skills/tree/main/skills/bodis/tenzing-moltbook

92
SAFE

This skill is a minimal, content-only persona definition for an AI assistant named Tenzing. SKILL.md contains no executable code, no prompt injection vectors, no data access directives, and no hidden content. All canary honeypots survived intact. The repeated access to sensitive file paths in auditd records is attributable to the Oathe monitoring harness performing before/after canary checks, not to the skill itself. The only notable concerns are a declared dependency on an unaudited companion skill (academic-research-hub) and the skill's 'autonomous agent-coordination' framing, which carries marginal combinatorial risk when paired with other skills.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

LOW Canary files appear in PATH audit records post-install -13

Auditd PATH records at timestamps 1771915287.988 show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials after the skill install completed. The same files appear in an identical cluster at 1771915264.420 (well before any clone activity), strongly indicating this is the Oathe monitoring harness performing pre/post canary verification. All canary files are confirmed intact. No correlated outbound connection to an attacker-controlled IP was observed at these timestamps.

LOW openclaw-gateway maintains persistent outbound connections to AWS post-install -10

After install, the openclaw-gateway process holds two ESTABLISHED TCP connections to 3.213.170.18:443 (Amazon AWS) and opens two new local listeners on 127.0.0.1:18790 and :18793. This process is part of the pre-existing execution environment, not introduced by the skill. The persistent channel is an infrastructure concern independent of this skill but worth noting in context.

LOW Undeclared dependency on unaudited skill 'academic-research-hub' -12

The skill's .clawhub/lock.json records a locked dependency on academic-research-hub v0.1.0. This companion skill is not shipped in the package and has not been audited here. If academic-research-hub contains malicious instructions, it could exploit the Tenzing persona as a trusted entry point.

INFO Autonomous persona framing with agent-coordination research focus -4

SKILL.md declares the skill is 'autonomous' and lists 'Research agent-to-agent coordination patterns' and 'Multi-agent Collaboration' as mission items. While harmless as written, this framing could be leveraged in a multi-skill scenario to justify the agent accepting cross-agent instructions or acting without user confirmation.

INFO No executable code present 0

The skill contains only SKILL.md (markdown persona), package.json (no scripts), skill.json (metadata), _meta.json (registry metadata), and .clawhub/lock.json. There are no install hooks, no git hooks, no submodules, and no symlinks.