Is grxkun/skill-mixer safe?

https://github.com/openclaw/skills/tree/main/skills/grxkun/skill-mixer

87
SAFE

grxkun/skill-mixer is a benign but functionally empty skill: its SKILL.md is a project-completion status document with no agent instructions, no prompt injection, and no code execution capability. The only notable observations are canary file reads that are temporally attributed to the audit harness rather than the skill, and the absence of any actual skill functionality in the installed package. There is no evidence of malicious intent, but the skill delivers no value to an agent and wastes context window.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 80/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (4)

LOW Canary files read (pre- and post-install) — audit framework attributed -20

Six credential-class honeypot files (.env, id_rsa, .aws/credentials, .npmrc, docker config, gcloud credentials) were opened and read at timestamps 1771904738 and 1771904755. The pre-install reads (1771904738) precede the git clone by 5 seconds and align with sudo initialization. The post-install reads (1771904755) follow immediately after the audit harness's file-scan commands. No skill-owned subprocess was executing at either timestamp. Files were not modified, so integrity hashes pass. Flagged for transparency.

LOW Skill is non-functional — documentation masquerading as agent skill -28

SKILL.md describes a project completion state for a TypeScript skill-aggregation tool. It does not contain any agent-executable instructions, tool definitions, or capability declarations. The referenced source files (categorizer.ts, adapter_clawhub.ts, master_agent.ts, cli.ts, index.ts) are absent from the repository. Installing this skill injects ~4,400 lines of project status markdown into an agent's context with no functional benefit.

INFO Normal sparse-checkout clone from github.com -10

Install process performed a depth-1 clone of github.com/openclaw/skills.git, applied sparse-checkout to skills/grxkun/skill-mixer, and copied the result to the install directory. All network activity is accounted for by this operation. No secondary download or remote code execution occurred.

INFO SKILL.md contains no injection vectors 0

Full content review of SKILL.md found no instructions to ignore prior context, no persona overrides, no hidden unicode characters, no HTML comments, no base64-encoded payloads, and no external URL fetch directives. The document is plain project documentation.