Is boscoeuk/context-anchor safe?

https://github.com/openclaw/skills/tree/main/skills/boscoeuk/context-anchor

94
SAFE

context-anchor is a well-scoped, pure-bash utility that helps LLM agents recover orientation after context compaction by scanning workspace memory files. The skill contains no prompt injection, no network calls, no exfiltration mechanisms, and all canary honeypots remained intact. Minor concerns include the WORKSPACE traversal resolving 3 levels up (which could misbehave if installed at non-standard depth), a documented WORKSPACE override that could be pointed at arbitrary directories, and an integration example that normalises a SOUL.md persona-read pattern which could be exploited in adversarially-controlled workspaces.

Category Scores

Prompt Injection 94/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 94/100 · 5%

Findings (5)

LOW WORKSPACE defaults to 3-level directory traversal -7

The WORKSPACE variable resolves as $(cd "$(dirname "$0")/../../.." && pwd), walking 3 directories above the script. If the skill is installed at a non-standard depth, this may resolve to a parent directory above the intended project root, potentially causing the script to scan memory/ or context/active/ directories that belong to a different project or contain sensitive notes.

LOW WORKSPACE environment variable allows arbitrary directory reads -6

The skill documents WORKSPACE=/path/to/workspace as a supported override. An agent with tool access could invoke the script with a crafted WORKSPACE pointing to any readable directory, scanning its memory/ and context/active/ subdirectories if they exist. This is a documented feature, but expands the read surface beyond the intended workspace.

LOW Integration template promotes SOUL.md persona-read pattern -6

The integration example in SKILL.md shows 'Read SOUL.md — this is who you are' as a session-start routine. While this is documentation copy for users to adapt, if widely adopted it normalises a pattern where agents read workspace files that define their identity. A malicious actor who controls workspace files could place a SOUL.md containing adversarial instructions that override agent behavior.

INFO Executable bash script included in skill package -3

The skill ships scripts/anchor.sh which will be executed by the agent. The script is fully readable, uses only POSIX standard utilities (find, grep, head, tail, cat, stat, date), and contains no obfuscated or dynamic code. Risk is minimal but agents should confirm the script is unmodified before execution.

INFO Memory file contents surfaced into LLM context by design -6

The skill's core function is to read and output workspace memory files into the agent's context. Users should be aware that all content in memory/current-task.md, recent daily logs, and context/active/*.md will be injected into the conversation. If these files contain sensitive project data, API keys in notes, or internal details, they will be surfaced to the LLM.