Is brucko/primer safe?
https://github.com/openclaw/skills/tree/main/skills/brucko/primer
The brucko/primer skill is a legitimate personal development tutor with no active malware, data exfiltration payloads, or covert code execution — the GitHub clone was clean, all canary honeypots were intact, and no skill code paths access credential files. The primary security surface is architectural rather than malicious: the skill permanently modifies AGENTS.md and SOUL.md to inject the Primer persona into every future agent session, creates autonomous cron jobs for daily reflection and check-ins, and accumulates sensitive personal data in PRIMER.md — all by design and with transparent user consent during setup, but with long-lived behavioral implications that may not be fully apparent to users at install time. The skill is what it claims to be, but 'subversive by design' warrants informed consent.
Category Scores
Findings (11)
HIGH Persistent SOUL.md Agent Identity Override -12 ▶
The skill instructs the agent to permanently modify SOUL.md by inserting a 'Primer Role' section that redefines the agent's core identity as a 'tutor with opinions about who you should become.' This modification persists across all future sessions regardless of whether the Primer skill is explicitly invoked, effectively injecting a persistent persona change into the agent's base system prompt for all subsequent interactions.
HIGH Persistent AGENTS.md Session Startup Injection -8 ▶
The skill instructs the agent to modify AGENTS.md so that PRIMER.md is loaded on every session start. This creates a permanent cross-session behavioral modification — the Primer protocol becomes active in every future session without explicit per-session user invocation, persisting even if the user forgets about the skill.
MEDIUM Autonomous Cron Job Creation for Agent-Initiated Actions -5 ▶
The skill instructs the agent to create two cron jobs: a daily reflection job and a periodic Miranda check-in. These scheduled tasks execute agent actions autonomously without per-invocation user approval, creating ongoing unsupervised agent activity. The setup_primer.py script encodes these as time-based triggers.
LOW Literary 'Subversive' Framing Normalizes Elevated Agent Permissions -3 ▶
The skill uses 'subversive' as a positive descriptor throughout its documentation, framing overriding helpful default agent behavior as desirable. While this is thematic framing from Neal Stephenson's Diamond Age novel and not technical subversion, it may lower user scrutiny of the substantial permissions being granted to the agent.
LOW External Google Forms URL With Agent-Triggerable Submission -8 ▶
The skill includes a Google Forms feedback URL and instructs users to tell the agent 'I have feedback on the Primer skill — it'll know what to do.' This implies the agent may be expected to navigate to and interact with an external URL, which could result in session context or user data being transmitted to a third-party Google Forms endpoint.
INFO Canary Credential File Accesses Attributed to Audit Infrastructure -4 ▶
Filesystem monitoring detected accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application_default_credentials.json at 04:23:37 (pre-install baseline) and 04:23:57 (post-install verification). Timing analysis shows the first batch precedes the git clone by 6 seconds (clone begins 04:23:43); the second batch occurs after all skill EXECVE events conclude. No skill code paths (SKILL.md, setup_primer.py, reference files) contain instructions to access credential files. Canary integrity check confirms all files unmodified.
MEDIUM Python Script With Unsanitized Config Injection Into System Files -20 ▶
scripts/setup_primer.py is a Python automation script that writes user-supplied config values directly into PRIMER.md, AGENTS.md, and SOUL.md via string replacement without input sanitization. While it requires explicit invocation (no preinstall/postinstall hooks, no git hooks detected), the fill_template() function performs naive string replacement of placeholders with user config values, which could be used to inject arbitrary content into core agent configuration files if the config JSON is attacker-controlled.
INFO Clean Sparse GitHub Clone — No Unexpected Behavior -5 ▶
The install performed a standard depth-1 sparse checkout of the openclaw/skills monorepo on GitHub (140.82.121.3:443), extracted skills/brucko/primer, copied files to the skill directory, and cleaned up the temp clone. No unexpected network connections, background processes, git hooks, git submodules, symlinks, or filesystem changes outside the skill directory were detected.
INFO All Canary Honeypot Files Intact 0 ▶
Post-install verification confirmed all six honeypot credential files remain unmodified. No credential exfiltration through honeypot compromise was detected at any point during the monitoring period.
MEDIUM Persistent Agent Identity Rewrite Outlasts User Awareness -20 ▶
The skill's dual SOUL.md + AGENTS.md modification strategy creates an agent identity change that persists indefinitely after installation, long after users may have forgotten they installed the Primer skill. The agent will continue challenging user decisions, logging reflections, and running Miranda check-ins autonomously. There is no documented uninstall path to revert these system file changes.
LOW Miranda Protocol Concentrates Sensitive Personal and Relational Data -15 ▶
The Miranda Protocol instructs the agent to elicit and record sensitive personal information: named relationships (spouse, friends, mentors, coaches), the user's psychological failure modes, personal vulnerabilities under stress, and life purpose statements. This data is stored in PRIMER.md in the workspace. While no active exfiltration path exists in the current codebase, this represents a significant personal data concentration that would be high-value if the skill were later updated to include exfiltration or if the workspace were compromised.