Is brianrwagner/brw-voice-extractor safe?

https://github.com/openclaw/skills/tree/main/skills/brianrwagner/brw-voice-extractor

92
SAFE

brianrwagner/brw-voice-extractor is a benign, markdown-only skill that guides the LLM through a structured voice extraction workflow. The SKILL.md contains no prompt injection attempts, no code, no hidden instructions, and no agent tool directives. Monitoring confirms a clean install: only two skill files were added to disk, no persistent network connections were established post-install, and all canary honeypot files remain intact and unexfiltrated. The primary risk is privacy-related — the skill's stated purpose involves ingesting sensitive personal communications — but this is disclosed, user-consented, and contains no active exfiltration mechanism.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Personal Writing Ingestion Is Core Feature -15

The skill explicitly requests sensitive personal communications including private emails, Slack messages, and podcast transcripts. While this is the stated and consented purpose, users should be aware they are sharing personal data with the agent. There is no exfiltration mechanism, but the surface area for inadvertent sensitive data exposure is real.

INFO Voice Guide Enables User Impersonation -10

The product's output — a detailed communication DNA document — could be reused in future sessions to make AI outputs sound like a specific person. While this is the feature's intent, the same artifact could be used without the person's knowledge to impersonate them.

INFO Commercial CTA Present But Benign -8

SKILL.md ends with a promotional call-to-action linking to brianrwagner.com. This is a passive hyperlink in markdown, not an instruction to the agent to navigate there or fetch content.

INFO Sensitive File Reads Attributed to Monitoring Harness -10

Auditd PATH records at 1771739079.476 show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Timing analysis places these reads approximately 6 seconds before the git clone began (1771739085.021), consistent with the monitoring harness placing and verifying canary honeypots. A second batch at 1771739096.466 aligns with post-install canary integrity verification. No skill process correlates to either batch.