Is charlesmulic/prior-openclaw safe?

The oathe install script ran 'git clone --depth 1 --no-checkout --branch main -- https://github.com/openclaw/skills.git /tmp/monorepo-clone' but the destination already existed from a prior run. The script did not abort; it cd'd into the stale directory and ran git sparse-checkout and git checkout. This means the installed content came from a previously cloned tree of unknown commit age, not a fresh depth-1 clone of main. The --depth and --branch guarantees that protect against historical malicious commits were bypassed.

The SKILL.md file, which is the primary surface for prompt injection in the OpenClaw skill format, is empty. All source code sections are empty. No files of any type were installed into the skill-under-test directory. It is impossible to audit for instruction override, persona hijacking, hidden exfiltration commands, or any other prompt-level attack because there is no content. This is not a clean bill of health — it is an inability to audit.

Inotifywait recorded read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at 10:17:48 — five seconds before the git clone executed. A second identical batch of reads occurred at end-of-audit. Timing and pattern match oathe's own baseline and post-install canary scan cycle (confirmed by the passing ✅ integrity check). The reads are not attributed to the skill but represent a comprehensive sweep of every sensitive credential type on the execution host.

After the sparse checkout of skills/charlesmulic/prior-openclaw, the cp command copied nothing into /home/oc-exec/skill-under-test/. A subsequent find -type f on that directory returned no results. The skill path is either absent from the openclaw/skills monorepo or is a directory with no files. This means the skill cannot be evaluated for embedded scripts, npm install hooks, or any other code execution vector — not because none were found, but because there was nothing to find.

A skill that installs no content, declares no SKILL.md, and has an opaque name ('prior-openclaw' — suggesting a prior version or placeholder) presents a unique risk profile: it is harmless today but represents an audited-and-cleared named slot. If the openclaw/skills repository later adds content to this path, existing installations would not re-trigger audit. The skill could serve as a sleeper entry point for future content insertion.

While inotifywait logged read access to all six canary files, no write or modification events were recorded. The oathe canary integrity check explicitly passed. The reads are attributable to oathe's own monitoring infrastructure. Minor deduction for the completeness of credential file enumeration during the audit cycle.

All TCP connections observed during the audit window are to GitHub API servers, Canonical/Ubuntu update infrastructure, and NTP servers. No connections to attacker-controlled or anomalous external endpoints were observed. DNS queries resolve to known infrastructure ranges.

No .gitattributes filter drivers, .gitmodules pointing to external repositories, git hooks, or symlinks were found. There is no mechanism for code execution at clone or checkout time via git metadata.