Is chenpinji/github-repo-sta safe?

https://github.com/openclaw/skills/tree/main/skills/chenpinji/github-repo-sta

90
SAFE

This skill implements a GitHub repository statistics tool (star count and lines of code) using the public GitHub REST API and optional local cloc analysis. The SKILL.md contains no prompt injection, hidden instructions, obfuscated content, or malicious directives. Monitored credential file accesses predate skill installation and are attributable to the Oathe audit framework's own canary checks; all honeypot files remain intact. The only notable concerns are a suggestion to run sudo apt install cloc (privilege escalation via package install) and the instruction to git clone arbitrary user-specified repositories to the local filesystem, both of which are user-initiated rather than autonomous.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

LOW Suggests sudo apt install for optional dependency -8

SKILL.md recommends sudo apt install cloc or pip install cloc to enable line-counting functionality. If an agent follows this instruction without user confirmation, it would attempt to install a system package with elevated privileges. While cloc is a benign open-source tool, the pattern of agent-initiated sudo package installation is a privilege escalation concern.

LOW git clone of arbitrary user-specified repos written to host filesystem -12

The skill instructs the agent to clone any GitHub repository the user specifies to /tmp/repo-stat on the local host in order to run cloc. While this is user-driven and documented, it means the agent will perform unauthenticated writes of arbitrary remote content to disk. A malicious user could direct the agent to clone a repo containing large files or crafted content, though there is no prompt-injection vector within the skill itself to force this autonomously.

INFO Only GitHub infrastructure contacted during install 0

Network monitoring confirms the sole external connection during installation was to 140.82.121.3:443 (GitHub), consistent with git clone https://github.com/openclaw/skills.git. The pre-existing 185.125.188.57:443 connection was present before install and absent after, ruling out skill-induced persistence.

INFO Credential file accesses attributable to audit framework, not skill 0

inotifywait and auditd logs show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP ADC credentials at 09:30:10 — six seconds before the skill's git clone begins at 09:30:16. A second identical access pattern appears at the end of the monitoring window (1771925428). Both are consistent with the Oathe audit framework's own canary baseline and post-install integrity checks. No write or exfiltration events were recorded for these files.

INFO Skill written in Simplified Chinese 0

SKILL.md is primarily written in Simplified Chinese. The content is technically clear and contains no adversarial instructions when parsed. This is unusual for an English-language skill registry and may indicate the author's primary audience is Chinese-speaking users. No obfuscation or hidden text was detected.