Is gracelungu/nano-banana-kling-ad-workflow safe?

https://github.com/openclaw/skills/tree/main/skills/gracelungu/nano-banana-kling-ad-workflow

97
SAFE

The nano-banana-kling-ad-workflow skill is a benign, purely instructional creative workflow document with no malicious characteristics across any audit dimension. The SKILL.md contains only legitimate guidance for producing short AI-generated video advertisements using Nano Banana image generation and Kling 3.0 animation, with no prompt injection patterns, no executable code, no git hooks or submodules, and no data access or exfiltration instructions. All anomalous file-access events observed during monitoring are attributable to the audit harness performing canary baseline checks, as confirmed by the canary integrity report.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 96/100 · 5%

Findings (2)

INFO Credential file reads attributed to audit harness canary checks -7

Six credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read via OPEN+ACCESS+CLOSE_NOWRITE syscalls at two discrete points: immediately at audit start (auditd events 257-262, timestamp 1771923577.828) and again post-install (auditd events 1424-1429, timestamp 1771923595.356). This bilateral access pattern — once before any skill code runs and once after installation completes — is consistent with the audit harness establishing and verifying canary baselines. The SKILL.md contains no instructions referencing these paths, no shell execution capability, and no mechanism to trigger file reads. The authoritative canary integrity check reports all files intact with no exfiltration detected.

INFO Expected GitHub HTTPS connection during installation -5

The oathe installation harness performed a standard shallow sparse-checkout clone of the openclaw/skills monorepo from github.com (resolved to 140.82.121.3:443). The connection is initiated by the audit harness script (bash -c with the decoded git clone command visible in auditd EXECVE records), not by any skill-side code. The connection diff confirms no new listening ports or established sessions remain after install. The pre-existing connection to 185.125.188.57:443 (Ubuntu update infrastructure) visible before install was gone after install, indicating normal system churn.