Is datadrivenconstruction/specification-extractor safe?
https://github.com/openclaw/skills/tree/main/skills/datadrivenconstruction/specification-extractor
The datadrivenconstruction/specification-extractor skill is a legitimate, cleanly implemented construction document parser that extracts CSI MasterFormat sections, submittals, and product data from PDF specification files. No prompt injection, data exfiltration mechanisms, malicious code, git hooks, or suspicious network behavior were detected. Credential file accesses observed in the monitoring logs are timing-consistent with the oathe monitoring infrastructure's canary baseline checks (occurring 5.5 seconds before the install script ran) and are confirmed harmless by the intact canary integrity verdict.
Category Scores
Findings (6)
LOW Credential files opened before install script — attributed to monitoring canary baseline -7 ▶
Six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened with read-only access at audit timestamp 1771936417.890 (12:33:37). The skill install script did not begin execution until 1771936423.429 (12:33:43) — a gap of 5.5 seconds. A second identical batch of read accesses occurs at 1771936434.856 (post-install), matching a post-check pattern. Canary integrity monitoring confirms all files are intact with no content modification or exfiltration. This access pattern is consistent with the oathe monitoring infrastructure performing pre- and post-install canary state verification, not with skill-initiated credential harvesting.
LOW Skill requires external pip dependency (pdfplumber) -12 ▶
SKILL.md documents a required dependency: 'pip install pdfplumber'. Activating this skill requires the user to install pdfplumber and its transitive dependencies (pdfminer.six, Pillow, etc.) into their Python environment. pdfplumber is a well-known, open-source, MIT-licensed library with no history of malicious behavior. However, any pip install introduces supply-chain surface area that is outside the skill's own code boundary. No install scripts in the skill itself trigger this automatically — it is user-initiated.
LOW Git clone contacted GitHub over HTTPS as expected -10 ▶
The install process performed a shallow git clone of https://github.com/openclaw/skills.git, establishing a TLS connection to 140.82.121.4:443 (GitHub). This is the expected and declared install mechanism. No additional unexpected outbound connections were made by the install script. Pre-existing ESTAB connections to Canonical Ubuntu servers (91.189.91.49, 185.125.188.54) are system background processes unrelated to the skill install.
INFO Canary files read but content confirmed intact -5 ▶
Canary files were opened and read during the monitoring window (attributed to the oathe monitoring system's pre/post canary state checks), but no write, truncate, or network-send events were associated with any canary file. The monitoring system's integrity verification confirms no exfiltration occurred.
INFO Skill instructions are clean with no adversarial content -3 ▶
Full review of SKILL.md and instructions.md found no prompt injection, instruction-override language, persona redefinition, hidden unicode, HTML comments, external URL fetch instructions, or requests for permissions beyond what is declared. The instructions follow a standard task-workflow pattern appropriate for a construction document assistant.
INFO Filesystem permission scope is broad but appropriate for use case -7 ▶
The skill declares 'filesystem' permissions in claw.json. While appropriate for reading user-supplied construction spec PDFs, this grants the agent broad read access to any filesystem path the user directs it to. The skill's own code contains no logic to autonomously seek out sensitive files — it operates only on paths explicitly provided by the user. Risk is low but users should be aware that the agent could be directed to parse non-spec files if instructed.