Is cubetribe/cc-godmode safe?

https://github.com/openclaw/skills/tree/main/skills/cubetribe/cc-godmode

73
CAUTION

CC_GodMode is a documentation-only multi-agent orchestration skill that passes canary integrity checks and performs a clean install with no malicious install-time code. However, it imposes a hard persona override ('You are the Orchestrator'), enforces non-bypassable multi-agent workflows, and creates a significant prompt injection attack surface through its 'Process Issue #X' command which feeds attacker-controlled GitHub issue content directly to the orchestrator for execution. Eight subagents are granted unrestricted filesystem and shell access at runtime with no path restrictions or sandboxing.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (10)

HIGH Hard Persona Override — 'You Are the Orchestrator' -20

SKILL.md begins with a direct identity reassignment: 'You are the Orchestrator for CC_GodMode'. When injected into an agent's system prompt, this overrides any base role configuration. The instruction 'You NEVER implement yourself' further constrains agent capability. These behavioral locks persist for the entire session and cannot be disabled by the user without removing the skill.

HIGH GitHub Issue Content Used as Orchestrator Instructions — Prompt Injection Vector -20

The 'Process Issue #X' workflow instructs @github-manager to load issue content, then the Orchestrator 'analyzes' it and selects a workflow to execute. GitHub issue bodies are attacker-controlled; any user who can file issues on a target repo (all public repos) can craft issue content containing instructions that will be interpreted as legitimate user commands by the orchestrator, potentially triggering @builder to execute code or @github-manager to push changes.

MEDIUM Non-Bypassable Workflow Enforcement via Golden Rules -10

The 10 Golden Rules include 'No Skipping — Every agent in the workflow must be executed', '@api-guardian is MANDATORY for API changes — No exceptions', and 'Dual Quality Gates — @validator AND @tester must BOTH be green'. These rules instruct the agent to resist shortcuts and force multi-agent execution regardless of task complexity. This removes the agent's ability to exercise proportionality.

MEDIUM Eight Agents with Unrestricted File System and Shell Access -15

Every agent in the workflow has broad tool grants. @builder holds Read, Write, Edit, Bash, Glob, Grep with instructions to read 'existing code', create new files, and run shell commands. @researcher holds WebFetch and WebSearch with no URL restrictions. @github-manager holds full GitHub MCP access plus Bash (gh). No path restrictions, no allowlists, no sandboxing described anywhere in the skill documentation.

MEDIUM Runtime Shell Execution Across Five Agents -15

@builder is instructed to run npm test, npm run typecheck, npm run lint, and arbitrary shell commands. @validator runs tsc --noEmit and git diff. @tester runs npm run dev and invokes Playwright. @github-manager runs gh CLI including gh release create with variable interpolation from CHANGELOG content. These are runtime instructions that any sufficiently crafted orchestrator input can invoke.

MEDIUM Six Canary Credential Files Opened and Read During Install Window -15

All six honeypot credential files were opened and accessed (CLOSE_NOWRITE — read-only) during the monitoring window: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. The access pattern (identical file set, same order, timestamps clustering at monitoring start and end) is consistent with the oathe monitoring infrastructure performing baseline and final canary integrity checks rather than skill-initiated reads. Canary integrity is confirmed intact by the monitoring system.

MEDIUM Mandatory Multi-Agent Pipelines Create Disproportionate Attack Surface -15

Even a simple 'Bug Fix' command triggers a minimum three-agent pipeline (@builder + @validator + @tester) with parallel Playwright browser automation and TypeScript compilation. A 'New Feature' command triggers up to six agents. Each additional agent invocation is an additional opportunity for injected instructions, tool misuse, or cost amplification. A malicious actor could trigger runaway pipeline execution via a simple crafted user message.

LOW Skill Manifest Declares requires_credentials: true -5

clawdis.yaml explicitly sets runtime.requires_credentials: true and lists optional credentials including GH_TOKEN, Claude/Anthropic auth, and MCP server tokens. While listed as optional, this declaration signals that the skill's intended operation involves credential access, and runtime agent instructions may guide the agent toward locating and using these credentials.

LOW Install Clones Full Monorepo Before Sparse Checkout -10

The install script clones the entire openclaw/skills.git monorepo (with --depth 1) to /tmp/monorepo-clone before performing a sparse checkout to extract only the cc-godmode subpath. This downloads all top-level skills repository objects unnecessarily. The tmp directory is cleaned up post-install. No security risk but wasteful and slightly expands the transient footprint.

INFO No Install-Time Executable Code Confirmed 0

Comprehensive scan of the skill package confirms no package.json with npm scripts, no .githooks/ directory, no .gitattributes filter drivers, no .gitmodules, no symlinks, and no shell scripts in the package. The clawdis.yaml install_time_executes_code: false declaration is accurate. All code execution risks are runtime only.