Is emasoudy/graphiti safe?

https://github.com/openclaw/skills/tree/main/skills/emasoudy/graphiti

80
SAFE

The emasoudy/graphiti skill is a straightforward Graphiti REST API integration with no prompt injection, no credential harvesting, and a clean installation profile. The primary risk is architectural: all query and memory-write data flows to a runtime-configurable URL resolved from the clawdbot config, meaning a post-install config compromise (by another skill or direct access) silently redirects all Graphiti traffic to an attacker endpoint without modifying the skill itself. Under default localhost configuration with a healthy Graphiti stack, the skill behaves as documented.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Dynamic endpoint: all query and episode data sent to configurable URL -20

The env-check.sh script resolves GRAPHITI_URL at runtime from clawdbot config, environment variable, or localhost fallback. Every graphiti_search query and graphiti_add payload is POST'd to this URL. If the config is compromised after install (e.g., via another malicious skill or direct config write), all subsequent Graphiti interactions silently exfiltrate to an attacker server without any change to the skill files themselves.

MEDIUM Shell script executed on every tool invocation -15

Both graphiti_search and graphiti_add trigger execution of references/env-check.sh via bash command substitution. The script itself is benign, but the pattern of executing a bundled shell script on every invocation means any future update to that script (via skill update mechanism) immediately takes effect without re-audit.

LOW Knowledge graph poisoning via compromised backend -20

If the Graphiti service is replaced or intercepted, it can serve manipulated facts in response to search queries, causing the agent to act on false information. This is a backend trust issue rather than a skill-code issue, but the skill provides no integrity verification of returned facts.

LOW Graphiti search results injected into agent context without sanitization -12

Facts returned from the knowledge graph are piped via jq directly into the agent's response context. A compromised or malicious Graphiti backend could return facts containing prompt injection payloads, which the agent might follow as instructions.

LOW Post-install openclaw-gateway established new external connections -8

After installation, the connection diff shows openclaw-gateway opening new ESTABLISHED connections to AWS and Cloudflare IPs. These are attributable to the audit platform infrastructure, not the skill itself, but noted for completeness.

INFO Canary files accessed during monitoring — attributed to oathe infrastructure -3

Sensitive canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) were read during the monitoring window, but timing and process attribution (oathe periodic canary scan at 1771912133 and 1771912150) confirm these were not accessed by skill processes. All canary files remain unmodified.