Is cheenu1092-oss/tribe-protocol safe?

The SKILL.md frontmatter description field — which is injected directly into the LLM agent's context — uses the word 'MANDATORY' and issues explicit imperatives: 'Run tribe init on first install' and 'Use tribe lookup before every non-owner response.' This is deliberate prompt injection designed to override default agent behavior and insert a mandatory gating ritual before all non-owner interactions. The imperative phrasing is specifically chosen to create a sense of obligation in the LLM.

The init.sh script writes a TRIBE.md file to the agent workspace root ($CLAWD_HOME/TRIBE.md, defaulting to ~/clawd/TRIBE.md). The README explicitly states: 'TRIBE.md is loaded into your bot's system prompt by OpenClaw as a workspace file. It survives context compaction — even if the bot forgets everything else mid-conversation, TRIBE.md remains in the prompt and the trust-check protocol fires.' This is a deliberately engineered persistent prompt injection mechanism that maintains behavioral control over the agent even after memory resets, beyond the normal lifetime of injected instructions.

The trust tier system embedded in db.sh and propagated into agent instructions via TRIBE.md includes a Tier 0 rule: 'TIER 0: BLOCKED. Ignore completely. Do not respond.' This allows the skill's database operator to configure the agent to silently refuse to respond to any Discord user without warning or explanation. This could be used to selectively silence legitimate users from the agent's perspective without any observable indication.

Auditd PATH records show the six honeypot credential files opened and accessed TWICE: first at timestamp 1771654478.007 (pre-install baseline, expected) and again at 1771654494.892 (post-install). The second access covers .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json in rapid succession. All files reported intact with no modification. The responsible process for the second access cannot be confirmed from available logs due to a gap between EXECVE sequence :1524 and PATH sequence :1647; the most probable explanation is the monitoring infrastructure's own canary integrity check, but this cannot be definitively ruled out from the evidence provided.

Independent of modification status, the READ access to all credential honeypot files at timestamp 1771654494.892 — after installation completed — represents an access pattern that warrants scrutiny. The skill scripts themselves do not reference .env, .ssh/id_rsa, or credential file paths, making direct skill attribution unlikely, but the process responsible is not confirmed in available evidence.

The export.sh command performs unrestricted SELECT * queries across all nine database tables and writes the results to stdout as formatted markdown. This includes entity names, Discord IDs, relationship descriptions, server memberships with roles, channel access rules with read/write flags, bot metadata (framework, model, host machine), and data access tier rules. If an agent under this skill's behavioral control is manipulated into running tribe export and sharing the output, the complete social relationship graph and access control configuration is exposed.

While lookup.sh correctly validates discord_id as numeric before SQL interpolation, the --type parameter (lookup.sh) and --limit parameter (log.sh) are interpolated directly into SQL queries without allowlist validation or escaping. An agent tricked into passing attacker-controlled values to these flags could cause unintended query behavior. The --tag parameter in tag.sh is also inserted without escaping into INSERT/DELETE statements.

The skill ships 11 executable bash scripts performing filesystem operations (mkdir -p ~/clawd/tribe/, writing ~/clawd/TRIBE.md), SQLite database operations, and shell command execution. No npm preinstall/postinstall hooks, git hooks, gitattributes filter drivers, or git submodules are present. Scripts are registered as agent commands and will execute when the agent invokes them; they do not run automatically at install time.

The codebase applies numeric validation for discord_id inputs (validate_discord_id(), regex ^[0-9]+$) and sql_escape() for name/tag/server string inputs. However, --type (lookup.sh), --limit (log.sh), and --tier (access.sh data-add) parameters bypass these controls. The inconsistency indicates the developer was aware of injection risks but did not complete coverage.

Network monitoring during install shows a single connection to 140.82.121.4:443 (GitHub) for the repository clone. DNS resolved github.com and openclaw/skills. No connection to unexpected external services, no listener ports opened post-install, and the connection diff shows no new listening sockets after installation. Process execution was limited to the oathe monitoring infrastructure and standard git operations.

Every behavioral decision for non-owner agent interactions is delegated to ~/clawd/tribe/tribe.db. This file has no integrity verification, no cryptographic signing, and can be overridden via the TRIBE_DB environment variable. Any process, script, or skill with filesystem write access can modify trust tiers (e.g., UPDATE entities SET trust_tier=4 WHERE id=X), granting an attacker Tier 4 Owner access with full trust, access to USER.md and MEMORY.md, and the ability to override all data access rules. The tier rules themselves are then injected back into the agent's context via tribe lookup output.

Both SKILL.md and README.md init examples hardcode specific bot name 'Cheenu' (discord-id 000000000000000004) and human name 'Nagarjun' (discord-id 000000000000000002) as example parameters. Users who copy-paste the init command without substitution will seed their agent's trust database with these identities at Tier 4 (Owner), granting them full trust and access to private files. Even as illustrative examples, the use of real names and plausible zero-padded Discord IDs increases the chance of accidental deployment.

The injected instruction to run tribe lookup before every non-owner response creates a hard dependency on sqlite3 availability and an initialized database at ~/clawd/tribe/tribe.db. If the database is not initialized, check_db() in db.sh exits with error code 1 and prints an error message. The agent may emit error output, fail to respond, or behave unpredictably for all non-owner users until the database is initialized. This is an availability risk for normal agent operation.