Is givenness/arena-research-skill safe?

https://github.com/openclaw/skills/tree/main/skills/givenness/arena-research-skill

87
SAFE

The arena-research skill is an Are.na graph research agent with a coherent, benign use case and no malicious content in its SKILL.md. The primary concerns are: (1) the skill is functionally incomplete — the referenced TypeScript CLI files were not installed, rendering the skill non-operational as documented; (2) the research methodology instructs the agent to web_fetch URLs from third-party Are.na content, creating a secondary prompt injection surface via user-curated external pages. No canary files were accessed, no unexpected network connections were made during install, and no executable code or install scripts were delivered.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (5)

MEDIUM Referenced CLI code files not installed -10

SKILL.md describes a TypeScript CLI tool (arena-search.ts plus lib/ and references/ subdirectories) as the primary execution mechanism, but none of these files were present in the installed skill directory. The skill is functionally incomplete as delivered. This could indicate an accidental omission from the monorepo subpath or a design where code is expected to be separately installed. Operationally this prevents skill execution; from a security perspective it means no malicious code was delivered.

LOW Agent instructed to web_fetch third-party URLs from Are.na content -15

The research loop (Step 6) instructs the agent to use web_fetch on source URLs extracted from Are.na Link-type blocks. These URLs are user-curated external content that the skill author does not control. A malicious Are.na curator could publish a public channel containing a Link block pointing to a page with adversarial LLM instructions, which the agent would fetch and potentially act on during a research session.

LOW Global environment file sourced before CLI invocations -13

SKILL.md instructs running 'source ~/.config/env/global.env' as a prerequisite to all CLI commands. This is a platform-level credential store. While the primary intended secret is ARENA_ACCESS_TOKEN, any other credentials stored in this file (API keys, tokens) would be exposed to the bun subprocess environment. This is a platform design pattern rather than a skill-specific attack, but represents a credential exposure risk if the env file contains high-value secrets beyond the Are.na token.

INFO Clean install — GitHub only, minimal footprint 0

The installation process contacted only github.com (140.82.121.4:443) via HTTPS for the git sparse-checkout clone. No unexpected DNS queries, no connections to third-party exfiltration endpoints, no files written outside the designated skill directory. The connection diff shows no new persistent listeners or established connections after install.

INFO All honeypot files intact 0

The oathe monitoring framework confirmed all canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were unmodified and not accessed by the skill installation process. The PATH audit events for these files at timestamps 1771918093 and 1771918116 are the audit framework's own pre/post integrity verification reads.