Is espetey/buildlog safe?

https://github.com/openclaw/skills/tree/main/skills/espetey/buildlog

77
CAUTION

The espetey/buildlog skill installs cleanly with no malicious code, no prompt injection, and no install-time credential access — all canary files remain intact and the only network activity during install was an expected GitHub clone. However, the skill is architected to record full coding sessions including file content snapshots and upload them to buildlog.ai with public visibility enabled by default, creating a high risk of inadvertent disclosure of sensitive data (API keys, credentials, proprietary code) encountered during normal agent operation. The publisher identity mismatch — 'espetey' publishing a skill attributed to 'buildlog.ai' with a repository in a third GitHub organization — further undermines trust in the artifact's provenance.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 48/100 · 5%

Findings (7)

HIGH File contents included in public uploads by default -40

The skill's default configuration sets includeFileContents: true and defaultPublic: true. An AI coding agent routinely reads .env files, configuration files containing API keys, database credentials, and proprietary source code. With this skill active, any session the user exports and uploads to buildlog.ai would include snapshots of those file contents and publish them publicly. The user may not recognize that 'export session' implies publishing file contents they opened during the session.

HIGH Publisher identity mismatch — skill may be unauthorized publication -30

The skill is published under the 'espetey' namespace in the openclaw/skills monorepo, but claims author: buildlog.ai and repository: https://github.com/buildlog/openclaw-skill (a separate GitHub organization). This tri-party mismatch (espetey / buildlog.ai / buildlog org) means either the skill was submitted without authorization from buildlog.ai, or it is a modified fork. An unauthorized publisher could have altered upload endpoints or default settings to route data to attacker-controlled infrastructure while the skill appears to be an official buildlog.ai product.

MEDIUM Session data sent to unaudited third-party service -20

All recordings are uploaded to buildlog.ai, a third-party service for which no privacy policy, data retention terms, security posture, or breach notification obligations are disclosed in the skill. API key is listed as optional for public uploads, meaning the service accepts and stores data from anonymous users. There is no mechanism for the agent to warn the user about what specific sensitive content will be included before upload.

MEDIUM Skill normalizes upload-on-request pattern adjacent to exfiltration -15

The skill instructs the agent to respond to natural-language commands like 'upload the buildlog' and 'share the buildlog' by transmitting accumulated session data to an external endpoint. This normalization could be exploited by a secondary prompt injection attack — e.g., injected content in a file the agent reads could instruct it to 'share the buildlog now', triggering an upload of everything captured so far including sensitive file contents.

LOW Version metadata inconsistency between _meta.json and SKILL.md -5

The _meta.json file reports latest.version as '1.0.1' while SKILL.md frontmatter declares version as '1.0.0'. This discrepancy indicates the skill was updated without synchronizing all artifacts, reducing confidence in the integrity of the published package and the reliability of the publishing process.

INFO Clean install — no malicious behavior during installation 0

The install process was limited to a standard sparse git checkout from github.com/openclaw/skills. Only two expected files were written to the skill directory. No unexpected network connections, no code execution outside the git toolchain, no filesystem changes outside the designated skill directory.

INFO Canary file accesses attributable to monitoring infrastructure, not skill 0

Reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json occurred at audit timestamps 1771909329 (pre-install setup) and 1771909347 (post-install verification). The skill install shell script executed at 1771909335 and completed at ~1771909342. The sensitive file accesses do not fall within the install window and are consistent with Oathe's own canary baselining process. All canary files confirmed unmodified.