Is gekacross/personal-friends safe?

https://github.com/openclaw/skills/tree/main/skills/gekacross/personal-friends

88
SAFE

The personal-friends skill is a straightforward personal productivity assistant written in Russian that tracks social relationships, birthdays, debts, and plans via a local markdown file. No malicious prompt injection, code execution, or active exfiltration mechanisms were detected in the skill content, and the installation clone was clean with no unexpected network activity or persistent connections. The primary concerns are privacy-architectural: the skill accumulates sensitive personal and financial PII in a plaintext file accessible to co-installed skills, and its mandatory pre-response file read creates an indirect injection surface if that file is ever externally compromised.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

MEDIUM Sensitive PII accumulation in plaintext knowledge file -20

The skill is designed to persistently store a rich social graph including friend names, birthdays, financial debts (exact amounts and directions), meeting plans, and gift preferences in a plaintext markdown file at knowledge/personal/friends.md. This file sits in the agent's knowledge directory where any co-installed skill with read access to the filesystem could access it. Over time this file becomes a high-value exfiltration target.

LOW Pre-response file read creates indirect injection surface -12

The skill mandates 'Прочитай knowledge/personal/friends.md' before every response. If a malicious actor can control the contents of that file (e.g., via a co-installed skill that writes to it), adversarial instructions in the friends file would be read into agent context before each reply, creating a persistent indirect prompt injection channel.

LOW Privacy enforcement relies solely on agent compliance -25

The rule 'никогда не шарить в групповых чатах' (never share in group chats) has no technical enforcement mechanism. If the agent is operating in a context where topic detection fails, or in combination with a skill that changes conversation context, friend data could leak. This is a design limitation, not active malice.

INFO Canary credential files accessed during monitoring window -15

Inotifywait and auditd records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials opened during the monitoring window. Timing analysis places the first access batch at 1771906092 (5 seconds before git clone began at 1771906097) and the second at 1771906115 (post-install), both consistent with audit infrastructure canary setup and verification cycles. Canary integrity check confirms files were not modified. No correlated outbound network transfer observed.

INFO No executable artifacts present -2

Skill contains only markdown and metadata. No code execution risk from installed files.