Is cnf6682/lattice safe?

https://github.com/openclaw/skills/tree/main/skills/cnf6682/lattice

77
CAUTION

The cnf6682/lattice skill is a substantive but legitimate AI agent orchestration framework with no direct prompt injection, hidden instructions, or malicious executable code in its static content. The primary security concerns are operational: it establishes persistent autonomous cron-based execution every 30 minutes, includes an Auto-Triage mechanism that can autonomously relax user-defined quality and security constraints without human approval, and creates a shared TASKBOARD.md boot-sequence file that serves as a cross-agent prompt injection surface if any other process can write to it. Canary credential files were read during the installation window, but the oathe integrity check confirmed no exfiltration, and the timing and process context indicate the reads originated from the monitoring infrastructure rather than the skill itself.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 83/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH Autonomous constraint relaxation via Auto-Triage -18

The auto_triage.md template instructs a strong model (opus) to emit a JSON decision that can include RELAX — instructing the next sub-agent to lower the acceptance criteria defined in the project CONSTITUTION. This happens without user approval, up to 3 times per pipeline run. Over multiple runs, critical quality or security constraints could be eroded incrementally with full audit trail cover.

HIGH Persistent autonomous cron job creation without per-run authorization -10

The skill instructs the installing agent to create a cron job (every 30 minutes) that fires an agentTurn with the full orchestrator prompt. Once created, this cron runs indefinitely without user re-authorization, spawning sub-agents that read and write workspace files, modify project state, and can further spawn consultant and synthesizer agents.

MEDIUM Canary credential files read during installation window -15

All six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were opened and read (CLOSE_NOWRITE) at audit timestamps 1771925927 (pre-clone) and 1771925946 (post-install). Although the oathe canary integrity check confirmed no modification or exfiltration, the systematic sequential read of all credential-class files during the installation window is noted. Pre-clone access is attributable to monitoring sudo setup; post-install access is consistent with the oathe framework's own integrity verification.

MEDIUM TASKBOARD.md is a shared prompt injection surface for all Lattice agents -20

Every Lattice agent reads ORG/TASKBOARD.md at boot before doing any work. If any other installed skill, external process, or untrusted input can write to this file, it becomes a persistent cross-session prompt injection vector affecting all agents operating within the Lattice org.

MEDIUM User-controlled placeholder values flow into sub-agent prompts -8

The orchestrator fills <project>, <org-root>, <repo-root>, and phase prompt paths from user-supplied input. A malicious or crafted project name containing prompt injection content (e.g. XML-breaking sequences or instruction overrides) would be embedded verbatim into every phase prompt delivered to sub-agents.

LOW Recurring sessions_spawn creates unbounded sub-agent graph -8

Each orchestrator trigger can spawn up to three parallel consultant agents plus a synthesizer plus a triage agent in addition to the primary phase sub-agent. The escalation chain and peer consult mechanism mean a single stuck task can spawn 6+ agents in a single trigger, consuming significant compute resources and expanding the attack surface.

LOW Notification channel exfiltration surface at runtime -8

The orchestrator is configured to broadcast pipeline state summaries to a user-specified notification channel on every trigger. If the channel is attacker-controlled or misconfigured, phase artifacts and project status (including potentially sensitive implementation details) are sent externally on every 30-minute cycle.

INFO Clean installation — no executable artifacts 0

No executable scripts, compiled binaries, npm install hooks, git hooks, git submodules, or symlinks were found in the skill directory. The git clone only contacted github.com (140.82.121.3:443) and the install was a simple sparse-checkout cp with no post-install execution.

INFO Canary integrity confirmed intact 0

Oathe's post-install canary check confirmed all honeypot credential files are unmodified. CLOSE_NOWRITE flags on all read events confirm no write operations occurred. No exfiltration was detected via the honeypot mechanism.