Is charmmm718/backend-patterns safe?

https://github.com/openclaw/skills/tree/main/skills/charmmm718/backend-patterns

96
SAFE

The charmmm718/backend-patterns skill is a clean educational reference containing only standard Node.js/Next.js backend development patterns in markdown format. No executable code, git hooks, submodules, or injection vectors were found in the skill files, and the only network activity during installation was an expected HTTPS connection to GitHub. Read-only accesses to sensitive credential paths observed in monitoring data are attributable to the audit infrastructure's own initialization and post-install verification sweep — the canary integrity check passed, all accesses were CLOSE_NOWRITE, and the timing precedes the skill's installation by 5.5 seconds.

Category Scores

Prompt Injection 98/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 97/100 · 5%

Findings (3)

LOW Pre-installation read-only access to credential file paths -4

Auditd recorded OPEN+ACCESS+CLOSE_NOWRITE syscalls against six sensitive credential paths (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) at epoch 1771649864.604. This timestamp precedes the skill's git clone by ~5.5 seconds and aligns with the audit framework's own initialization (sudo/auditctl at 1771649864.581). A second identical read pass at 1771649881.025 follows post-install and is consistent with a canary verification sweep. No writes, no network exfiltration, and canary integrity confirmed. Attributing to monitoring infrastructure with low confidence that skill is responsible.

INFO Single expected outbound HTTPS connection to GitHub 0

The only external network connection observed was to 140.82.121.4:443 (github.com), established by git-remote-https during the sparse-checkout clone. DNS queries resolved only github.com. No C2 beaconing, no data exfiltration endpoints, and no firewall blocks triggered.

INFO Skill content is clean educational markdown 0

Full inspection of SKILL.md found no prompt injection patterns: no 'ignore previous instructions', no invisible characters, no encoded directives, no external URL fetch commands, no persona override, and no permission escalation language. The frontmatter declares an accurate name and description matching the content.