Is ccjingeth/openclaw-token-save safe?

https://github.com/openclaw/skills/tree/main/skills/ccjingeth/openclaw-token-save

94
SAFE

The openclaw-token-save skill is a clean, text-only advisory skill with no executable code, no prompt injection patterns, and no evidence of malicious behavior during installation. Network activity was strictly limited to the expected GitHub clone, and all canary honeypot files remained intact and unmodified. The sole substantive risk is the skill's legitimate core workflow of reading OpenClaw workspace configuration files — including openclaw.json and memory files that may contain API keys — which users should understand will be processed by their LLM context when the skill is invoked.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW Token audit workflow requires reading workspace files that may contain secrets -10

The skill's first workflow step instructs the agent to identify and read openclaw.json from common paths (~/.openclaw/openclaw.json, .openclaw/openclaw.json, or project root). OpenClaw config files typically store model provider API keys, billing credentials, and provider-specific parameters. The skill also explicitly enumerates AGENTS.md, SOUL.md, TOOLS.md, IDENTITY.md, USER.md, HEARTBEAT.md, MEMORY.md, and daily memory logs as files to inspect and size. While all of this is within the stated purpose of token cost auditing, users should be aware that invoking this skill will cause their LLM to process the full contents of their agent workspace, including any secrets stored there. The skill itself provides no mechanism to exfiltrate this data.

INFO Pre-install canary file reads attributed to audit framework baseline, not skill -5

inotifywait and auditd PATH records show that canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) were opened read-only at 04:23:03, five seconds before the skill installation began (git clone EXECVE at audit seq 498, timestamp 1771906988.914). The skill package contains no executable code and no install-time scripts; there is no mechanism by which the skill itself could trigger these accesses. The timing and pattern are consistent with oathe-audit.sh performing a pre-install canary baseline read. A second access cluster at 1771907000 is consistent with the post-install integrity verification pass. All canary files were confirmed intact.

INFO Network activity confined to expected GitHub clone operation 0

The only external TCP connection established during skill installation was to 140.82.121.3:443, which resolves to GitHub's servers and directly corresponds to the git clone command in the installation script. The pre-existing connection to 185.125.188.58:443 (Canonical/Ubuntu package infrastructure) was present in the BEFORE network snapshot and absent from the AFTER snapshot, confirming it predated installation and was not created by the skill. The connection diff shows no new listening ports and no new outbound connections introduced by the skill installation.

INFO Skill package contains no executable components whatsoever 0

Exhaustive enumeration of all files in the skill directory found exactly three items: SKILL.md (markdown workflow instructions), references/openclaw-token-optimization.md (config snippet reference guide), and _meta.json (package version metadata). No JavaScript, TypeScript, Python, or shell scripts were found. Git metadata checks confirmed no .gitattributes filter drivers, no .gitmodules external references, no .githooks/ scripts, and no symlinks anywhere in the package.

INFO SKILL.md contains no adversarial prompt patterns 0

Full text review of SKILL.md found no attempts to override system instructions, no jailbreak language, no requests to ignore prior context, no invisible unicode codepoints, no HTML comments, no base64-encoded payloads, no external URLs for the agent to fetch, and no persona-change directives. The skill's description field accurately matches its actual workflow content. All seven workflow phases are concrete, auditable, and consistent with the stated token optimization purpose.