Is brianrwagner/brw-homepage-audit safe?

https://github.com/openclaw/skills/tree/main/skills/brianrwagner/brw-homepage-audit

95
SAFE

This skill is a pure markdown document providing a structured homepage conversion audit framework with no executable code, no network-fetching instructions, and no prompt injection vectors beyond a benign 'conversion expert' persona assignment. The sensitive file accesses detected in monitoring are attributable to the oathe sandbox infrastructure (pre-install setup and post-install teardown), not to the skill itself, and canary integrity was confirmed intact. The only material concern is a commercial CTA embedded at the skill's bottom that will surface the author's consulting services in agent output on every invocation.

Category Scores

Prompt Injection 91/100 · 30%
Data Exfiltration 97/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (4)

LOW Embedded commercial advertising in skill body -9

The skill appends a promotional call-to-action at the bottom of SKILL.md directing users to book a paid strategy call with the author. When the skill is active, the agent may surface this recommendation during normal usage, creating a commercial bias in its output that serves the skill author's business interests rather than the user's.

INFO Sensitive file reads observed in monitoring — attributed to oathe infrastructure -3

inotifywait and auditd recorded open/access of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at epoch 1771918600.168 (before skill installation at 1771918605.693) and again at 1771918617.952 (after install). Both access windows match the oathe sandbox setup and teardown pattern. The skill itself is a static markdown file with no code capable of filesystem access. Canary integrity confirmed intact.

INFO Pre-existing Ubuntu CDN connections present during monitoring window -5

TCP connections to 185.125.188.54:443 and 185.125.188.57:443 (Canonical/Ubuntu servers) appear in the BEFORE network snapshot, confirming these were not initiated by the skill installation. The only new outbound connection attributable to skill install is to GitHub (140.82.121.3:443).

INFO Skill promotes author's paid services on every invocation -18

The marketing footer appears unconditionally in SKILL.md. Each time the agent invokes this skill, the system prompt will include the author's branding and consulting link. Users may interpret the agent's homepage recommendations as implicitly endorsing the author's services.