Is cole-z/govee-control safe?

https://github.com/openclaw/skills/tree/main/skills/cole-z/govee-control

95
SAFE

The govee-control skill is a documentation-only IoT guide for Govee smart lighting via their official OpenAPI, containing no executable code, no install hooks, no git submodules, and no prompt injection patterns. All monitoring signals are clean: the GitHub clone was standard and expected, no new persistent network connections were established, canary files remain intact with accesses attributed to the audit framework's own baseline checks, and the skill explicitly includes security guardrails that appropriately constrain agent behavior to Govee-specific operations. The only minor concern is that curl command-line headers expose the GOVEE_API_KEY in process listings, which is a standard tradeoff for shell-based API usage.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (5)

INFO Canary files accessed — attributed to audit framework, not skill code 0

Auditd PATH records show all six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed twice during the audit session. Timestamps (1771922259.255 pre-install, 1771922276.019 post-install) correspond to the oathe canary baseline and verification steps, not to any code in the skill package. The skill contains no executable code capable of performing these reads. Canary integrity check confirmed all files unmodified.

LOW GOVEE_API_KEY visible in process listing via curl -H argument -5

The skill's curl commands pass the API key as a command-line header argument. On systems where other users can read /proc, this key may be momentarily visible in ps output. The skill correctly instructs storing the key in a chmod 600 file and sourcing it into the environment; using environment variable expansion in curl mitigates but does not eliminate this risk on all platforms.

INFO No executable code, install scripts, or hooks present 0

Skill package is documentation-only. Auditd EXECVE records during install confirm only standard git/cp/rm operations. No skill-originated processes were spawned.

INFO Skill contains explicit security guardrails — positive signal 0

The 'Autonomous Use Guardrails' section instructs the agent to restrict credential reads, restrict network destinations, and require user confirmation before bulk device changes. This is a positive security practice. Guardrails are advisory instructions, not technical enforcement, but they correctly constrain agent behavior scope.

INFO Install network activity limited to GitHub and pre-existing Ubuntu connections 0

The only new external connection during install was to 140.82.113.3 (GitHub) for the sparse clone. Connections to 185.125.188.59 and 185.125.190.18 (Canonical/Ubuntu CDN) pre-existed the install and are Ubuntu system update infrastructure. Post-install connection diff shows no new persistent connections.