Is desperado991128/peft safe?

https://github.com/openclaw/skills/tree/main/skills/desperado991128/peft

95
SAFE

The desperado991128/peft skill is a benign, purely documentary resource providing accurate guidance on HuggingFace's PEFT library for parameter-efficient LLM fine-tuning using LoRA, QLoRA, and related methods. It contains no executable code, no installation hooks, no git hooks or submodules, no prompt injection attempts, and no exfiltration mechanisms. Observed accesses to sensitive credential files are attributable to the oathe audit infrastructure's honeypot seeding and post-install verification phases rather than the skill itself, and the canary integrity check confirmed all files remained unmodified throughout.

Category Scores

Prompt Injection 98/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 94/100 · 5%

Findings (4)

LOW Version metadata inconsistency between _meta.json and SKILL.md -4

The _meta.json registry file declares version 0.1.0 while the SKILL.md frontmatter declares version 1.0.0. This discrepancy indicates the skill was not properly packaged or versioned, which could cause confusion about which version is authoritative. Not a security risk, but a quality/provenance concern.

LOW Author attribution mismatch between registry metadata and skill content -6

The _meta.json owner field identifies the submitter as 'desperado991128' while SKILL.md frontmatter claims authorship as 'Orchestra Research'. This could indicate the skill was packaged by a third party from another source, or that the attribution in one location is incorrect. Not a security concern but reduces provenance confidence.

INFO Read-only accesses to sensitive credential files detected — attributed to audit infrastructure -10

Inotifywait and auditd logs show two batches of read-only accesses to canary honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials). Timing analysis places the first batch (audit records 258-263 at timestamp 1771929514.070) before the git clone begins, and the second batch (records 1432-1437 at timestamp 1771929537.910) at audit teardown. The skill is static markdown with no filesystem access capability. All reads were CLOSE_NOWRITE. Canary integrity check passed.

INFO Connections to Ubuntu/Canonical infrastructure during audit window -7

Network traffic captured to 91.189.91.49 (canonical.ubuntu.com, port 443) and 185.125.188.58 (Canonical Snap CDN, port 443). Both connections were present in the BEFORE connection snapshot, indicating these are pre-existing OS-level Ubuntu update or Snap daemon connections unrelated to the skill installation process.