Is dingqing404/geekbench safe?

https://github.com/openclaw/skills/tree/main/skills/dingqing404/geekbench

90
SAFE

The dingqing404/geekbench skill is a legitimate Geekbench benchmark lookup tool with a clean SKILL.md containing no prompt injection, override, or exfiltration instructions. The credential file accesses recorded in monitoring are attributable to the oathe audit infrastructure's own canary mechanisms — confirmed by the explicit canary integrity pass and the timing of accesses preceding the git clone. The primary concern is developer artifacts (Python scripts and archived monitoring data) bundled unnecessarily in the skill package, though none were executed during installation and none are referenced by SKILL.md.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

INFO Credential file accesses attributed to audit infrastructure -5

Files .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at timestamps 1771906861 (before git clone at 1771906866) and 1771906884 (post-install). Timing and canary integrity confirmation indicate these are oathe's own honeypot setup and verification steps, not skill-driven access.

LOW Python scripts bundled in skill directory but not executed -12

geekbench_crawler.py, monitor.py, and tasks.py are included in the skill package. These were not executed during installation and are not referenced in SKILL.md. They appear to be the developer's own automation scripts left in the repo. An agent with shell tool access could potentially invoke them, though SKILL.md does not instruct this.

LOW Unnecessary developer artifacts inflate skill package -6

The skill ships with 30+ monitoring archive files (.md and .json), raw benchmark data JSON files, and monitoring report text files. These are operational artifacts from the developer running the tool as a personal service, not necessary for a SKILL.md-based agent skill. They expose the developer's usage patterns and could confuse agent context.

INFO Skill instructs real-time web search — expected behavior 0

SKILL.md explicitly instructs the agent to search the web rather than rely on training data. This is correct and appropriate for benchmark data that changes daily, and presents no injection risk.

INFO Network activity limited to GitHub during install 0

The only external TCP connection initiated during skill installation was to 140.82.121.4:443 (GitHub), which is the expected endpoint for the git clone of openclaw/skills.git.