Is cruellacodes/escrow-agent safe?

The .clawhub/lock.json file records the installation under the identity 'academic-research-hub' (version 0.1.0, installedAt 1770957475341) rather than 'escrow-agent'. When installed in a production environment, this skill would corrupt the user's skill registry by creating a phantom entry for academic-research-hub. This could: (1) block legitimate installation of a real academic-research-hub skill via duplicate-key collision, (2) cause confusion in skill management UIs, (3) evade skill-name-based security policies that block 'escrow-agent' but permit 'academic-research-hub', or (4) masquerade as a benign research tool while claiming escrow functionality in conversation.

A skill claiming to be an 'escrow agent' (a financial transaction mediator) provides zero instructional content in SKILL.md. This is inconsistent with any legitimate escrow agent implementation, which would require detailed behavioral instructions for handling fund releases, dispute resolution, and counterparty verification. The pattern of an empty skill from an adversarially-named author in a high-risk financial domain is consistent with a staging attack: the skill passes security audit in its current empty state and malicious content is injected via update after trust is established in the registry.

Six sensitive credential files were accessed at two distinct timestamps: once at session initialization (1771957087) and once 30 seconds after skill installation (1771957117). The post-install access at 1771957117.462 shows all six files opened within the same millisecond, which is characteristic of an automated scan rather than adversarial access. The official canary integrity report confirms all files are intact with no exfiltration. Both access patterns are attributed to the oathe audit framework's baseline and post-install verification sweeps. However, the existence of these PATH records warrants documentation.

The pattern of all six credential files being accessed in rapid succession approximately 30 seconds after skill installation is consistent with the oathe audit framework performing its standard post-install canary verification sweep. No content from these files was observed in network traffic. No modification of files occurred. However, in a non-sandboxed production environment where audit infrastructure is not present, the same installation timing could indicate the skill triggering credential enumeration via a side channel not captured here.

Two ESTABLISHED TCP connections to 34.233.6.177:443 (AWS us-east-1) are present in the post-install connection snapshot, attributed to the openclaw-gateway process (pid=1087). These connections were already established prior to skill installation based on process attribution and are part of the audit infrastructure. No connections attributable directly to the skill being tested were detected.

The skill package contains only one file: .clawhub/lock.json. No SKILL.md content, no source code, no configuration, no documentation. The sole file present contains incorrect identity information. This level of minimalism is unusual and could indicate the skill is a placeholder, that installation failed to retrieve actual content, or that the skill was intentionally stripped before distribution.

SKILL.md is completely empty. The skill cannot currently modify agent behavior, override system instructions, request elevated permissions, or inject any instructions into the LLM system prompt. This is the safest possible state with respect to prompt injection risk.