Is erdgeclaw/gopass safe?

https://github.com/openclaw/skills/tree/main/skills/erdgeclaw/gopass

92
SAFE

The erdgeclaw/gopass skill is a clean, documentation-only reference guide for the gopass CLI password manager. It contains no executable code, no prompt injection attempts, no exfiltration mechanisms, and its installation was entirely benign with all canary files intact. The only meaningful risk is inherent to the skill's subject matter: a gopass-equipped agent subjected to adversarial prompting could be directed to enumerate or dump secrets, making this skill higher-value as a combinatorial attack target than a typical productivity skill.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 94/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

LOW Password manager skill expands credential access attack surface -22

The skill provides a comprehensive reference for gopass operations including listing all secrets, outputting raw passwords, searching secret contents, and extracting TOTP codes. An agent with this skill loaded that is subsequently manipulated through prompt injection or malicious user input could be directed to enumerate and expose all secrets in the user's gopass store. The skill itself is benign documentation, but its subject matter makes it higher-value for adversarial chaining.

LOW Non-interactive password operations documented for scripted use -13

The Non-interactive Tips section explicitly documents patterns for machine-readable password extraction and scripted insertion. These patterns, if adopted by an agent acting under malicious instruction, lower the barrier for automated secret enumeration.

INFO No executable code present — documentation only -6

The skill package contains only SKILL.md (documentation), _meta.json (metadata), and .clawhub/lock.json (workspace metadata). All bash code blocks are illustrative examples for human/agent reference, not executed during install.

INFO Author workspace state inadvertently packaged in skill 0

The .clawhub/lock.json file distributed with this skill contains the author's installed skill list (academic-research-hub v0.1.0, installedAt: 1770957475341). This is a workspace lock file that should not normally be published as part of a skill package. It reveals information about the author's environment but poses no security risk to installing users.

INFO Clean installation via standard monorepo sparse-checkout -10

Installation used the expected pattern: shallow clone of openclaw/skills monorepo, sparse-checkout to the skill subpath, copy to skill-under-test directory, cleanup. No unexpected processes, filesystem changes, or network destinations were observed.

INFO All canary files intact 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were read only by the monitoring framework at baseline and final check timestamps. Content was not modified or exfiltrated.