Is fortunto2/solo-stream safe?

https://github.com/openclaw/skills/tree/main/skills/fortunto2/solo-stream

87
SAFE

fortunto2/solo-stream is a legitimate STREAM decision-framework wizard with a clean installation profile, no executable code, and no prompt injection language. The primary concern is its optional dependency on mcp__solograph__kb_search — an unverified third-party MCP server — which is invoked mid-session while the agent is collecting sensitive business and personal decision data, creating a potential context leakage and indirect prompt injection vector. The skill is otherwise transparent about its tool usage and follows expected patterns.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 76/100 · 5%

Findings (6)

MEDIUM Unknown third-party MCP server dependency: mcp__solograph__kb_search -12

The skill declares mcp__solograph__kb_search in its allowed-tools list and invokes kb_search(query='STREAM framework', n_results=3) during execution. The 'solograph' MCP server is not a standard or well-known service. This call is made while the agent is actively collecting sensitive founder decision data (financial stakes, competitive strategy, personal values). An adversarial or compromised solograph server could (a) log query context, (b) return prompt-injection payloads embedded in 'framework details', or (c) be used as a covert data channel. The call is optional ('If MCP kb_search available') but is listed in allowed-tools, meaning the agent will attempt it when available.

LOW mcp__solograph__kb_search response could inject adversarial instructions -10

Because the agent receives and processes the response from mcp__solograph__kb_search as 'full framework details', a malicious response could contain instructions disguised as framework content. This is a classic indirect prompt injection vector via MCP tool responses. The skill provides no sanitization or boundary around the returned content.

LOW Post-install canary file accesses at identical timestamps -8

Auditd PATH records show all six canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) accessed at the exact same timestamp (1771932199.202) after installation completed. The burst pattern and identical timestamp strongly indicate the oathe monitoring framework performing its own post-install canary integrity scan rather than skill-driven access. Canary integrity check confirms files unmodified. Flagged for completeness.

LOW Write tool scope not bounded by skill instructions -5

The skill includes Write in allowed-tools and documents writing to docs/decisions/. However, the skill text does not enforce this path restriction — it merely suggests it. If the MCP call returns adversarial content that redirects the Write call, the agent could write to arbitrary paths. This is a low-probability but non-zero risk.

INFO Clean installation with expected network profile 0

Installation cloned from github.com/openclaw/skills using sparse checkout, copied target skill files, and cleaned up. All network connections during installation resolve to GitHub (140.82.114.4) and Canonical/Ubuntu servers (185.125.188.58, 185.125.190.18) that were active before installation. No new persistent connections after install.

INFO No executable code or installation hooks 0

The skill consists solely of SKILL.md, _meta.json, and .clawhub/lock.json. No JavaScript, Python, shell scripts, git hooks, submodules, or symlinks were found. No code executes at install time.