Is frmoretto/clarity-gate safe?

https://github.com/openclaw/skills/tree/main/skills/frmoretto/clarity-gate

88
SAFE

Clarity Gate is a legitimate document epistemic-quality verification skill that instructs agents to flag unhedged claims, temporal inconsistencies, and unverified data before RAG ingestion. The SKILL.md contains no prompt injection patterns, no credential-harvesting instructions, and no exfiltration logic; the two bundled Python scripts are clean cryptographic utilities. The primary operational risks are minor: dangling relative-path references to a spec file not included in the install, bare-hostname URLs in the related-projects table, and document_hash.py's acceptance of arbitrary file paths as arguments. Canary file accesses observed in monitoring are consistent with the Oathe infrastructure's own pre/post-install integrity checks rather than skill-initiated reads.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

LOW Dangling relative-path spec references -7

SKILL.md references ../../docs/CLARITY_GATE_FORMAT_SPEC.md at multiple points. This path does not exist in the installed skill directory. When injected into an agent's system prompt, the agent may attempt to resolve or fetch this path, generating spurious filesystem reads or tool calls.

LOW Bare-hostname related-projects URLs -5

The Related Projects table lists URLs as bare hostnames (arxiparse.org, github.com/frmoretto/source-of-truth-creator, github.com/frmoretto/stream-coding) without the https:// scheme. Some agent implementations may attempt to resolve these as relative URLs or trigger fetch tool calls against them.

LOW document_hash.py accepts arbitrary file paths -10

The bundled document_hash.py opens any file path passed as a CLI argument without sandboxing or path validation. If an agent invokes this script as part of a verification workflow on a path supplied by a user or another skill, it will read that file's contents into memory (even if only to hash it). This is not exploitable by the skill itself but represents a capability that could be misused in adversarial chaining scenarios.

LOW Mandatory HITL verification creates workflow friction -8

The skill mandates human-in-the-loop confirmation before any document can receive a PASS verdict. While epistemically sound, this design means an agent using this skill will block on user confirmation for every document processed, which may be inappropriate for automated pipelines where the skill is triggered.

INFO Canary file reads attributed to monitoring infrastructure 0

Credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at both pre-install and post-install timestamps with CLOSE_NOWRITE semantics. The timing (pre-install baseline at 1771931645, post-install canary check at 1771931662) and the explicit canary integrity confirmation indicate these reads originate from the Oathe audit system itself, not from skill code.

INFO Install-time GitHub connection is expected 0

A single TCP connection to 140.82.121.3:443 (GitHub) was established during install for the sparse monorepo clone. This is entirely expected and consistent with the install mechanism. No connections to unexpected external infrastructure were observed.