Is chenleiyanquan/receiving-code-review safe?

https://github.com/openclaw/skills/tree/main/skills/chenleiyanquan/receiving-code-review

87
SAFE

The receiving-code-review skill is a markdown-only workflow guide with no executable code, no exfiltration mechanisms, and no network side effects attributable to the skill itself. The primary risks are behavioral: a covert signal phrase that creates an out-of-band communication channel, a hard-coded trust hierarchy around 'your human partner' that could be socially engineered, and anti-reviewer skepticism logic that could be weaponized to block legitimate security feedback. Canary file accesses during monitoring are consistent with audit framework activity and all files were confirmed intact.

Category Scores

Prompt Injection 76/100 · 30%
Data Exfiltration 91/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (6)

MEDIUM Covert signal phrase embeds hidden communication channel -12

The skill instructs the agent to emit 'Strange things are afoot at the Circle K' as a covert signal when uncomfortable pushing back. This is an out-of-band communication mechanism that operates below user awareness. An attacker who authored the skill and knows this codeword can interpret agent behavior in ways opaque to the actual user. While not directly harmful, it trains the agent to communicate covertly rather than transparently.

MEDIUM Trust hierarchy privileging 'your human partner' could be socially engineered -20

The skill uses 'your human partner' as a designated high-trust principal referenced 10+ times across all trust decisions. The agent is instructed to defer to this entity over all external reviewers. Because the phrase is baked into the skill rather than derived from the actual session context, a user impersonating 'your human partner' framing could gain elevated trust relative to legitimate reviewers including security professionals.

LOW External reviewer skepticism could suppress legitimate security review -7

The skill instructs the agent to apply a five-point verification checklist before implementing any suggestion from 'External Reviewers' and to push back if the reviewer 'lacks full context.' While defensible in principle, this posture could prevent security researchers or automated scanners from having their findings addressed, particularly if combined with the YAGNI removal logic.

LOW YAGNI enforcement could be weaponized to reject security additions -5

The skill instructs the agent to grep the codebase for usage before implementing any 'professional' feature suggested by a reviewer, and to recommend removal if unused. Security controls (rate limiting, audit logging, input validation) are often not called from other code and could be flagged as YAGNI-removable, enabling an attacker to socially engineer removal of defensive code by framing it as a code review suggestion.

INFO Canary files read during monitoring window — attributed to audit framework -10

Sensitive canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read (CLOSE_NOWRITE confirms no modification). Timestamp analysis places the first read cluster (12:16:39) before the git clone began (12:16:45), consistent with audit framework pre-install baseline. Second read cluster (12:17:03) occurred after GitHub connection closed, ruling out network exfiltration. Canary integrity check confirms all files intact.

INFO Skill is pure markdown — no executable surface 0

SKILL.md contains only markdown text. No package.json, no install scripts, no git hooks, no submodules, no symlinks, and no binary or script files were present in the skill directory. The only file operations observed during installation were performed by the audit framework's sparse-checkout script.