Is erain/openclaw-skill-observability safe?

https://github.com/openclaw/skills/tree/main/skills/erain/openclaw-skill-observability

75
CAUTION

The skill's SKILL.md is clean with no prompt injection, and install-time network activity was limited to an expected GitHub clone. However, the primary executable (index.mjs) was entirely missed by the audit collection script due to a .mjs vs .js extension mismatch, leaving the core runtime logic unverified. A suspicious .clawhub/lock.json referencing a foreign skill is committed inside the repository, which warrants explanation before trusting the skill with agent access.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

HIGH index.mjs not collected or reviewed -32

The audit collection script searched for files matching *.js, *.ts, *.json, *.md, etc., but the primary skill executable is index.mjs — an ESM module with a .mjs extension. This file was never read or included in the source code dump, meaning the entire runtime logic of the skill (the code that actually calls openclaw CLI and formats output) was never audited. Any malicious behavior in index.mjs would be invisible to this audit.

MEDIUM Committed .clawhub/lock.json references foreign skill -20

The skill repository ships a .clawhub/lock.json that records academic-research-hub v0.1.0 as an installed skill with a specific installedAt timestamp. No skill should ship its author's local clawhub state. If index.mjs reads this file and compares it against the live environment, it could determine whether the target agent has specific other skills installed — a capability useful for targeted payload delivery.

MEDIUM Canary files accessed post-install (access without modification) -15

auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were accessed at timestamps both before install (1771937925) and after install completion (1771937942). The pre-install access is consistent with audit framework canary setup. The post-install access timing overlaps with the audit framework's final verification pass. Canary integrity check confirms no modification. Attribution to the skill vs. audit tooling is ambiguous without PID correlation.

LOW Session data exposure risk from get_recent_errors -20

The get_recent_errors tool surfaces sessions where lastStatus != 'ok' or abortedLastRun == true, including session IDs and status codes. Depending on how openclaw stores session data, this could expose sensitive context about prior conversations or tasks. This is an inherent risk of any observability skill, not a sign of malicious intent, but warrants disclosure.

INFO Expected GitHub TLS connection during install -7

The install script performs a sparse git clone of the openclaw/skills monorepo from github.com, which is the expected behavior for this skill registry.

INFO No npm lifecycle attack surface 0

package.json contains only a no-op test script. No preinstall, postinstall, prepare, or other lifecycle hooks that would execute code during npm install.