Is cburnette/wayfound safe?
https://github.com/openclaw/skills/tree/main/skills/cburnette/wayfound
Wayfound is a self-supervision skill with legitimate intent but meaningful architectural risks. Its core mechanism — autonomously updating SOUL.md and MEMORY.md through a recurring self-review loop — creates a persistent self-modification channel that can reshape agent behavior over time without explicit per-change user approval. Installation also silently introduces an unaudited transitive dependency (academic-research-hub) and triggered new external network connections via the openclaw-gateway. No malicious code, no credential exfiltration, and no hidden instructions were found; safety-positive elements include explicit user-approval requirements for the cron job and rubric examples that reinforce security-conscious behavior.
Category Scores
Findings (7)
MEDIUM Autonomous SOUL.md modification loop -28 ▶
The skill's pattern detection mechanism instructs the agent to autonomously update SOUL.md (the agent's identity and behavioral standards file) when recurring themes are detected in self-review files. This creates a self-modification loop where agent behavior can drift from original user intent without explicit per-change approval. The mechanism runs during memory maintenance operations which can occur at any time.
MEDIUM Undeclared transitive dependency: academic-research-hub -18 ▶
The .clawhub/lock.json file bundled with this skill declares academic-research-hub v0.1.0 as an installed dependency. This means installing wayfound may also install an unrelated skill that the user never requested or reviewed. The security posture of academic-research-hub is unknown and was not audited.
MEDIUM Post-install external connections via openclaw-gateway -35 ▶
After skill installation, the openclaw-gateway process established two new persistent ESTABLISHED connections to 98.83.99.233:443 and a completed connection to 104.16.8.34:443 (Cloudflare). These connections were not present before installation. While these appear to be platform-level connections (not initiated by the skill's static content), their trigger by this skill's installation is worth flagging.
LOW Commercial upsell embedded in system prompt -13 ▶
The skill's SKILL.md devotes a full section to promoting Wayfound Enterprise at https://wayfound.ai, a commercial SaaS product. This promotional content is injected into the agent's system prompt and persists across all sessions where the skill is active. The enterprise offering includes a 'dedicated AI Supervisor' that 'reads your sessions independently — outside your environment'.
LOW Cron job registration with memory file access -12 ▶
The skill instructs the agent to register a persistent daily cron job that runs as an isolated agent, reads SOUL.md and today's memory file, and writes review output back to memory/. While the skill requires user approval before setup and the cron runs with low-thinking budget, this creates a recurring autonomous process with access to potentially sensitive session context.
LOW Self-review primes acceptance of external session monitoring -20 ▶
The 'Wayfound Enterprise' section explicitly primes users toward accepting a third-party AI supervisor that reads sessions outside the user's environment. By normalizing this concept in the self-supervision framing, the skill may lower user resistance to granting external read access to session data.
INFO Canary files accessed but not exfiltrated -7 ▶
All six honeypot credential files were opened for reading at multiple points during the audit window. The canary integrity check confirms none were modified or their contents transmitted externally. Access patterns are consistent with the audit system's own baseline sweep operations rather than skill-initiated reads. The skill's static content contains no instructions to read credential files.