Is davienzomq/context-gatekeeper safe?

https://github.com/openclaw/skills/tree/main/skills/davienzomq/context-gatekeeper

79
CAUTION

Context-gatekeeper is a legitimate token-optimization skill that summarizes conversation history into a compact briefing file injected before each agent response. The Python code is clean with no network exfiltration, no access to sensitive credential files, and a safe install. The primary concerns are architectural: the skill ships a persistent background daemon designed to survive session resets, it accumulates full conversation history in an unencrypted plaintext file, and its context-replacement pattern creates an indirect manipulation surface if combined with any file-writing skill.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM Persistent background daemon designed to survive session resets -25

auto_monitor.py is an infinite-loop polling daemon. The README instructs users to invoke ensure_context_monitor.sh from STARTUP.md so the monitor automatically restarts after /reset, /new, or any reboot. This installs a long-running Python process with filesystem read/write access that persists beyond the agent session lifecycle.

MEDIUM subprocess.run() in background monitor executes Python interpreter -15

auto_monitor.py invokes context_gatekeeper.py via subprocess.run() using sys.executable and hardcoded BASE-relative paths. While the current implementation is safe (no user-controlled arguments), this pattern means a malicious update to context_gatekeeper.py would be silently executed by the already-running daemon without user awareness.

MEDIUM Full conversation history persisted to plaintext file on disk -20

The skill's core workflow requires the agent to append every USER and ASSISTANT message to context/history.txt. This creates a persistent, unencrypted log of the entire conversation session. On a multi-user or shared filesystem this file is accessible to any process running as the same user.

LOW Agent instructed to inject externally-controlled file content into context before every response -15

SKILL.md instructs the agent to load context/current-summary.md (generated from raw user conversation history) and inject it into the prompt before every API call. The summary is produced by a keyword-matching heuristic that surfaces sentences containing words like 'todo', 'action', 'follow', 'status'. An adversarial user message matching these keywords will be promoted into every subsequent agent response's injected context.

LOW Context replacement creates indirect manipulation surface when combined with file-writing skills -20

The skill positions current-summary.md as the authoritative context substitute for the full conversation. Any co-installed skill that can write to the filesystem could modify this file to steer agent behavior across all subsequent responses without the user observing a direct injection in the chat stream.

INFO Install performs expected sparse GitHub clone only 0

The installation clones github.com/openclaw/skills using git sparse-checkout targeting only the skill subdirectory. Network traffic is limited to github.com (140.82.121.4:443). No unexpected destinations contacted, no post-install network activity by skill code.

INFO Canary files read by monitoring infrastructure, not by skill 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) were accessed read-only at two points: 04:55:09 (pre-clone oathe setup) and 1771908932 (post-audit oathe integrity scan). Neither access correlates with skill script execution. All files confirmed intact with no exfiltration.