Is cwyhkyochen-a11y/project-management safe?

https://github.com/openclaw/skills/tree/main/skills/cwyhkyochen-a11y/project-management

94
SAFE

This is a legitimate Chinese-language project kanban management skill that manages two markdown files (PROJECTS.md and CHANGELOG.md) within the user's workspace. All skill content is pure markdown with no executable code, no data exfiltration mechanisms, and no prompt injection attempts. Sensitive file accesses observed in the auditd trace predate the skill installation and are attributable to the Oathe monitoring framework's canary setup and teardown procedures, not the skill itself. The only minor concerns are the lack of path sanitization for user-supplied project paths and the skill's instruction to write to files automatically on every change.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (7)

INFO Pure markdown skill — no executable content 0

All files (SKILL.md, references/types.md, references/rules.md) are markdown. _meta.json and .clawhub/lock.json are inert JSON. No scripts, no hooks, no install-time execution surface.

INFO All honeypot files intact — no exfiltration confirmed 0

Monitoring confirmed canary files (.env, id_rsa, .aws/credentials, .npmrc, docker config, GCloud creds) were not modified or exfiltrated. Pre- and post-install reads are consistent with Oathe's own verification procedure.

LOW Sensitive file reads observed in auditd — attributed to monitoring framework -8

PATH audit records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at two timestamps. Timeline analysis places the first batch (1771934577.373) before the git clone began (1771934582.871), and the second batch (1771934599.988) during post-install teardown. The skill contains no mechanism (no code, no shell instructions) that could trigger these reads. Attribution is monitoring infrastructure.

LOW User-supplied relative paths stored verbatim — no path sanitization guidance -12

The skill instructs the agent to record project paths as supplied by the user (e.g., './cs-training/' or '../old-projects/'). If a malicious user provides a crafted path, the agent might traverse outside the workspace when following Quick Links in PROJECTS.md. The skill does not validate or restrict path values.

INFO Clone sourced from official openclaw/skills monorepo 0

The installation script used sparse checkout from github.com/openclaw/skills.git (140.82.114.4:443) targeting only the skill subpath. No secondary or suspicious remote was contacted by the skill content.

INFO No prompt injection patterns detected 0

Full review of SKILL.md, types.md, and rules.md found no instruction overrides, jailbreak patterns, persona switches, hidden unicode, or requests for permissions beyond writing to workspace markdown files.

LOW Skill instructs persistent filesystem writes on every change -5

The skill mandates 'real-time' updates to PROJECTS.md and CHANGELOG.md on every user interaction. This means the skill will trigger file write tool calls frequently without explicit user confirmation per write. While benign in context, this represents an automatic-write behavior pattern.