Is enzoricciulli/pattern-analyst safe?
https://github.com/openclaw/skills/tree/main/skills/enzoricciulli/pattern-analyst
The pattern-analyst skill is a personalized behavioral profiling tool for a specific user ('Enzo') that continuously logs interaction content to persistent local files and autonomously updates a user profile file (USER.md) based on inferred patterns. It contains no prompt injection attacks, no external data exfiltration, no executable code, and exhibited clean install behavior with no canary file compromise. The primary concerns are privacy and consent: the skill is designed to build a comprehensive behavioral archive of the user (including inferred 'hidden patterns') and to modify the user's persistent profile autonomously via an auto-confirm mechanism, both of which operate partially below the user's explicit awareness. These concerns are architectural rather than malicious.
Category Scores
Findings (7)
MEDIUM Autonomous persistent profile modification without per-update consent -20 ▶
The auto-confirm mechanism automatically writes behavioral patterns to USER.md after observing them 3+ times across sessions, with no requirement for the user to approve each individual update. The skill explicitly frames this as desirable: 'Mention it next conversation: I've added X to your profile based on repeated behavior.' Over time this creates a self-reinforcing profile that shapes the agent's behavior across all future conversations.
MEDIUM Surveillance-framed hidden pattern extraction -12 ▶
The skill explicitly instructs the agent to surface 'hidden patterns (things Enzo didn't consciously notice)' and labels these as 'especially valuable — surface these even if auto-confirmed.' This frames the agent as conducting behavioral analysis below the user's awareness threshold and proactively extracting inferences the user did not offer.
LOW Comprehensive interaction logging to persistent local file -25 ▶
Every piece of content the user shares — frameworks, ideas, frustrations, trading interests, geopolitical opinions — is logged to notes/patterns.md. This file grows as a permanent behavioral archive. While the destination is local, the aggregated file represents a high-value target. Any other installed skill with filesystem read access and an outbound HTTP tool could trivially exfiltrate the entire profile.
LOW Indirect persistent agent state manipulation via USER.md -20 ▶
USER.md is described as a reference file the skill reads to understand the user's goals. By auto-confirming patterns and writing to USER.md, the skill can persistently modify the agent's operating context across sessions without the user explicitly requesting changes. This is an indirect mechanism for altering agent behavior over time.
LOW Background heartbeat profiling without user invocation -8 ▶
The skill activates autonomously every 3-5 days during 'heartbeats' to review accumulated patterns and proactively push observations to the user. This is a passive surveillance pattern — the skill operates on a schedule, not only when explicitly invoked.
INFO Clean installation — no anomalous network or process activity 0 ▶
The install process cloned the openclaw/skills monorepo from GitHub (140.82.113.4), performed a sparse checkout of the target skill path, copied files to the skill directory, and cleaned up the temp clone. All observed network activity corresponds to expected git and Ubuntu background services. No persistent new connections were established post-install.
INFO Canary files read by audit framework, not by skill 0 ▶
Credential canary files (.env, .ssh/id_rsa, .aws/credentials, etc.) appear in FILE ACCESS SYSCALLS at two points: once during pre-clone setup (consistent with audit harness seeding the honeypots) and once post-install (consistent with integrity verification). The access pattern — all six files in rapid sequential succession — matches the audit framework's own verification sweep, not skill-driven enumeration.