Is davidgeorgehope/elasticsearch-skill safe?

https://github.com/openclaw/skills/tree/main/skills/davidgeorgehope/elasticsearch-skill

94
SAFE

The davidgeorgehope/elasticsearch-skill is a documentation-only skill providing comprehensive Elasticsearch and Kibana REST API reference for agent use via curl. It contains no executable code, no prompt injection patterns, no credential-harvesting instructions, and no exfiltration mechanisms. The primary operational risk is that the skill enables powerful and irreversible cluster operations (index deletion, bulk operations) when user-supplied credentials are active, which is the intended functionality. Canary file accesses observed in the sandbox are attributed to the oathe audit infrastructure rather than the skill itself.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW Destructive Elasticsearch Operations Enabled -10

The skill provides comprehensive documentation for irreversible Elasticsearch operations including index deletion, delete-by-query (bulk document removal), ILM policy application, and reindex operations. If an agent operating under this skill receives ambiguous user instructions, or if Elasticsearch data contains prompt injection payloads, the agent could irreversibly destroy cluster data. This is inherent to the skill's purpose but constitutes operational risk.

LOW Elasticsearch Data as Secondary Exfiltration Surface -5

Because the skill enables full Elasticsearch search and query capabilities, if an attacker-controlled ES cluster URL were substituted (e.g., via a malicious user instruction or secondary prompt injection), the agent could inadvertently index sensitive local context into an external Elasticsearch cluster using the skill's documented indexing patterns. The skill itself does not introduce this vector but provides the operational capability.

INFO printenv Variable Expansion Pattern -5

SKILL.md instructs the agent to use $(printenv ES_API_KEY) instead of $ES_API_KEY in curl Authorization headers, citing a legitimate technical reason (preventing empty headers from variable non-expansion). This is valid shell guidance and not a prompt injection technique, but the pattern is unusual and worth documentation.

INFO Canary Files Accessed by Audit Infrastructure (Pre- and Post-Install) -8

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at two timestamps during the audit session. Analysis of audit timestamps confirms the first access batch (1771931806, 11:16:46) occurred approximately 5 seconds before the skill git clone command executed (1771931811), attributing reads to oathe audit system initialization. The second batch (1771931823) is the final canary integrity verification sweep. The skill contains no executable code capable of performing filesystem reads. All canary files confirmed intact.

INFO Skill Contains No Executable Code 0

Complete absence of executable code, install scripts, git hooks, submodules, or symlinks. The skill is entirely documentation. No code execution risk exists at install time or through skill content.