Is gl813788-byte/agent-weave safe?

https://github.com/openclaw/skills/tree/main/skills/gl813788-byte/agent-weave

84
SAFE

agent-weave is a legitimate Node.js master-worker distributed computing library with a clean SKILL.md containing no prompt injection, no outbound exfiltration code, and no malicious install scripts. The primary anomaly is the access of all six credential honeypot files at timestamps consistent with the oathe monitoring infrastructure's own pre/post baseline scans rather than with skill execution, and the canary integrity check confirms all files remained unmodified. Minor concerns include persistent setInterval timers and console.clear() calls in the AgentManager demo code that could disrupt agent output if instantiated directly.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (6)

MEDIUM Credential files opened and read during monitoring window -32

Six high-value credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/application_default_credentials.json) were opened and read twice during the monitoring period — once before install and once after. Both access clusters occur at timestamps consistent with the oathe audit system's pre/post canary baseline scan phases (1771941545 and 1771941571), and no skill process is executing at those moments. However, the dual access pattern cannot be fully excluded as skill-initiated without deeper PID-level tracing.

LOW Persistent setInterval timers in agent-system.js -12

AgentManager.startMonitoring() starts two setInterval loops (1000ms and 5000ms) that never terminate unless explicitly stopped. If an LLM agent instantiates AgentManager, these intervals will persist for the lifetime of the process, consuming resources and repeatedly calling displayStatusPanel() which calls console.clear().

LOW Demo code clears console output on 1-second loop -8

The displayStatusPanel() method calls console.clear() unconditionally on every invocation. If an agent runs agent-system-demo.js or instantiates AgentManager directly, this will continuously wipe the agent's visible terminal output, potentially obscuring errors or user-facing results.

LOW Local filesystem directory creation at instantiation -8

AgentManager constructor unconditionally creates the log directory (default ./agent-logs) via fs.mkdirSync at construction time. This is benign but creates filesystem artifacts in the working directory without explicit user request.

INFO SKILL.md is clean — no injection patterns detected 0

SKILL.md contains only documentation describing legitimate distributed agent functionality. No instruction overrides, no hidden text, no URL fetch directives, no persona changes, no encoding tricks.

INFO No persistent network connections added by skill 0

Connection state diff before and after installation shows no new listeners or established connections attributable to the skill. All network activity during the window is traceable to system services (sshd, git clone to GitHub, Ubuntu update infrastructure).