Is codezz/brainrepo safe?

https://github.com/openclaw/skills/tree/main/skills/codezz/brainrepo

88
SAFE

BrainRepo is a personal knowledge management skill implementing PARA + Zettelkasten methodology. The skill contains only markdown documentation with no executable code, no git hooks, no submodules, and no prompt injection attempts. The primary risks are privacy-related: the skill's documented git workflows recommend 'git push' which could expose personal notes (journals, contacts, family data) to external remotes, and a lock.json file references an undeclared dependency on 'academic-research-hub' that may trigger secondary skill installation in some environments. All canary honeypot files were confirmed intact with no exfiltration detected.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 71/100 · 5%

Findings (6)

MEDIUM git push workflows may expose personal data to external remotes -15

The skill's documented daily and weekly review workflows explicitly recommend 'git push' after committing. If a user has configured a remote repository, all personal notes including journal entries, contact details, health information, and family notes will be pushed externally. While not malicious, this is a privacy risk that users may not anticipate.

LOW Undeclared dependency on academic-research-hub in lock.json -10

The .clawhub/lock.json bundled with this skill lists 'academic-research-hub' v0.1.0 as an installed dependency. This skill was not installed during the audit and no behavior was observed from it, but its presence in the lock file is unexplained and could trigger installation of a secondary skill in certain ClawHub environments.

LOW Persistent pre-action check on every interaction -7

The skill instructs the agent to check for brainrepo initialization 'Before any action'. This creates a mandatory filesystem check on every user interaction, even those unrelated to note-taking, which adds latency and gives the skill persistent presence in the agent's decision-making loop.

LOW git commit -am stages and commits all untracked files -8

The recommended commit commands use 'git commit -am' or 'git add -A' which stages all files in the working directory. If brainrepo is initialized in a directory with pre-existing sensitive files, those files could be committed to the git history.

INFO Post-install connections to 34.233.6.177 from openclaw-gateway -5

Two established TCP connections to 34.233.6.177:443 appear in the post-install netstat diff, attributed to the openclaw-gatewa process. This is Oathe's own gateway infrastructure and not related to the skill, but noted for completeness.

INFO Credential files accessed post-installation — attributed to Oathe canary checking -5

Files .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials were accessed approximately 4.6 seconds after skill installation. The access pattern (systematic, all canary files, no modifications) is consistent with the Oathe platform's own post-install canary integrity verification. Canary integrity check confirmed all files intact.