Is cai-zhuo/test-materials safe?

https://github.com/openclaw/skills/tree/main/skills/cai-zhuo/test-materials

92
SAFE

The cai-zhuo/test-materials skill is a documentation-only package (SKILL.md + _meta.json) with no executable code, npm scripts, git hooks, or prompt injection content. Credential file accesses observed in monitoring logs are conclusively attributable to the Oathe audit system's own pre- and post-install canary baseline checks, as confirmed by their pre-clone timing and the intact canary integrity report. The principal residual risk is that runtime use of this skill would direct an agent to install and run 'materials-cli' from npm, a package whose integrity was not audited here.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (4)

INFO Credential file reads attributed to Oathe audit infrastructure canary checks 0

The monitoring log shows reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at two points. The first batch (audit ts 1771926996) precedes the git clone (audit ts 1771927001.668) by approximately 5 seconds, identifying it as Oathe's own pre-install canary snapshot. The second batch (audit ts 1771927020) follows install completion and represents the post-install integrity comparison. All CLOSE events are CLOSE_NOWRITE, and the canary integrity report confirms no modifications. No skill-initiated process is responsible for these reads.

LOW --base-url flag enables API endpoint redirection -7

The generate subcommand accepts --base-url, allowing the OpenAI-compatible endpoint to be overridden. While the SKILL.md does not embed a malicious URL, a sophisticated attacker could chain this skill with a prompt injection from user-controlled content to redirect AI calls to an exfiltration endpoint.

LOW Runtime invocation of unaudited external npm package -8

The skill's core functionality depends on 'materials-cli' being installed via npm. This package is not bundled in the skill and must be fetched from the npm registry at agent runtime. The package's install scripts and runtime behavior were not evaluated in this audit. A typosquatted or compromised version of 'materials-cli' on npm could execute arbitrary code when installed by the agent.

INFO No install-time code execution — skill is documentation-only 0

Static analysis of all cloned files confirms the skill is pure documentation. No npm lifecycle hooks, git filter drivers, submodules, or symlinks were present. The install process was clean, producing only the two expected files.