Is donny-son/joan-workflow safe?

https://github.com/openclaw/skills/tree/main/skills/donny-son/joan-workflow

92
SAFE

The Joan Workflow skill is a pure markdown documentation file providing CLI reference and workflow guidance for the joan knowledge management tool. It contains no executable code, no injection attempts, no data exfiltration instructions, and no suspicious installation behavior. The only notable risks are indirect: the skill encourages use of 'joan context claude' which writes externally-sourced content to CLAUDE.md (a second-order supply chain concern dependent on joan.land's trustworthiness), and it references an MCP server at joan.land as an optional integration.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 84/100 · 5%

Findings (4)

LOW Canary file accesses observed — attributed to monitoring infrastructure -15

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at two points (pre-install and post-install). Both access clusters are consistent with OATHE's own canary integrity checking scripts, not the skill or any skill-spawned process. The skill contains no code capable of initiating these reads.

LOW joan context claude writes to CLAUDE.md — second-order injection surface -16

The skill instructs users to run 'joan context claude' which generates CLAUDE.md content pulled from the joan.land server. CLAUDE.md is loaded as system instructions on every Claude Code session start. If the joan.land service were compromised or intentionally adversarial, it could serve content that injects instructions into future sessions. This is a supply chain risk inherent to the joan architecture, not a property of this skill file itself.

INFO External MCP server URL referenced in documentation -7

The skill documents an MCP server endpoint at https://joan.land/mcp/joan. This is informational guidance for users who have already authenticated with joan, not an instruction to the LLM agent to fetch or connect to that URL autonomously. No imperative directives around this URL are present.

INFO openclaw-gateway established persistent connections to AWS endpoint -10

Post-install connection diff shows openclaw-gateway (pid=1090) holding two ESTABLISHED connections to 98.83.99.233:443 and listening on 127.0.0.1:18790-18793. This is the openclaw platform's own gateway process, not the skill. It represents normal platform telemetry/control plane activity.