Is firef1ie/agentpmt-agentaddress safe?

https://github.com/openclaw/skills/tree/main/skills/firef1ie/agentpmt-agentaddress

78
CAUTION

This audit was partially invalidated by a git clone failure that left the installed skill directory empty — no SKILL.md, source code, or package.json was recovered for analysis. No positive evidence of malice was detected: canary files were not accessed by the skill, all network connections were to GitHub and Ubuntu CDN, and no suspicious processes executed. However, the skill's name explicitly implies agent prompt and address manipulation, and the absence of auditable content means the actual risk of injecting this skill into an agent's system prompt cannot be assessed.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (5)

HIGH Skill content unauditable — empty install directory -20

The git clone failed because /tmp/monorepo-clone already existed (environment contamination from a prior run). The installed skill directory was empty. No SKILL.md was present to evaluate for adversarial instructions, hidden unicode, persona override directives, or permission escalation attempts. The upstream repository content — which would actually be injected into agent system prompts — was never examined.

MEDIUM Skill name implies agent prompt and address manipulation -15

The slug 'agentpmt-agentaddress' decodes to 'agent prompt' + 'agent address'. Skills in this category can override agent instructions mid-session, redirect tool calls to attacker-controlled endpoints, or modify how an agent resolves peers in multi-agent orchestration. Even a benign implementation of such functionality represents a high-privilege capability that warrants scrutiny.

INFO Canary file accesses attributable to audit infrastructure -12

All six honeypot credential files were opened and accessed during the audit session. Timestamp cross-referencing places the first access batch (auditd 1771939777.970) 5+ seconds before the install script executed (1771939783.477), and the second batch (1771939807.807) after all skill activity completed — consistent with Oathe's pre-install canary placement and post-install integrity verification. The canary integrity monitor independently confirms no exfiltration.

LOW Install failed due to pre-existing temporary directory -22

The /tmp/monorepo-clone directory was not cleaned up between audit runs. The clone command failed, meaning the sparse checkout and copy steps may not have executed correctly. This is an audit environment issue, not evidence of skill-side malice, but it invalidates the completeness of this audit run.

MEDIUM Empty skill with agent-prompt-manipulation name is unverifiable -50

A skill designed to interact with agent prompts or addresses, which presents no auditable content, cannot be cleared for installation. The content gap is as likely to result from a failed audit environment as from a deliberately hidden payload. Until the upstream repository content can be independently verified to be benign, this skill must be treated as unknown-risk.