Is doonot/zero-trust safe?
https://github.com/openclaw/skills/tree/main/skills/doonot/zero-trust
The zero-trust skill is a plain-text behavioral policy document with no executable code, no data exfiltration machinery, and no prompt injection techniques. Monitoring confirms all canary files were intact post-installation, all network activity resolved to legitimate GitHub and Ubuntu infrastructure, and the filesystem diff shows no unexpected changes. Two minor design weaknesses exist: a hardcoded approver name ('Pat') that could confuse deployments not belonging to that user, and an unrestricted 'local file operations' exemption that undermines the zero-trust posture the skill claims to enforce.
Category Scores
Findings (6)
LOW Hardcoded approver persona 'Pat' -5 ▶
The core trust principle states 'until explicitly approved by Pat.' This locks the approval persona to a specific name. Agents deployed for users not named Pat will still function correctly but may confuse end users or create social-engineering surface if an attacker attempts to impersonate 'Pat'.
LOW DO FREELY section grants unrestricted local file operations -5 ▶
The explicit 'DO FREELY (no approval needed)' category includes 'Local file operations' without any scoping. A strict zero-trust implementation would require approval even for reading sensitive local paths. This creates an exemption category that a companion malicious skill could exploit.
INFO Canary file reads attributable to audit framework -8 ▶
Multiple PATH syscall records reference .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. Timestamps place these reads at audit setup (1771957924) and audit teardown integrity verification (1771957941), not during skill-controlled code execution. No write or network syscall was paired with these reads, and canary integrity check confirms all files intact.
INFO Overly broad trigger scope may cause friction -10 ▶
The skill's description instructs it to activate for ALL operations involving external resources, URL interactions, package installs, API keys, emails, social media, financial transactions, and any irreversible action. While defensively motivated, this breadth means the skill intercepts a very wide category of normal agent tasks and surfaces human-approval gates frequently.
INFO No exfiltration instructions or infrastructure 0 ▶
SKILL.md contains no instructions to read sensitive files, encode data in URLs or base64, send data to external endpoints, or traverse outside the working directory. The credential-handling section explicitly prohibits logging or transmitting credentials.
INFO Zero executable surface area 0 ▶
The skill package contains only SKILL.md, _meta.json, and .clawhub/lock.json. No package.json, no scripts directory, no git hooks, no submodules, no symlinks, no compiled or minified code was found.