Is guillaumetch/moltworld-dashboard-deploy safe?

https://github.com/openclaw/skills/tree/main/skills/guillaumetch/moltworld-dashboard-deploy

91
SAFE

moltworld-dashboard-deploy is a well-structured, narrowly scoped deployment helper for a named local web application. The skill content contains no prompt injection, no data-exfiltration instructions, no executable install-time code, and no malicious patterns. Canary file accesses visible in the audit logs are attributable to the monitoring framework's own baseline and integrity-check routines — all honeypot files remain intact. The skill's five explicit safety gates, including mandatory user approval before privileged operations and a prohibition on curl|bash, represent sound security practice for a deployment-class skill.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Skill workflow involves privileged system commands requiring trust in the approval gate -12

The documented workflow includes npm package installation, Docker image builds, and optional systemd service installation via sudo. While the skill's safety gates explicitly require user approval before any privileged or persistent action, an agent following this skill will ultimately execute shell commands with real system side effects. The safety depends entirely on the agent correctly surfacing the approval step to the user.

INFO Skill installed via expected sparse-checkout of public monorepo -13

Installation connected only to github.com for the git clone. The openclaw-gateway connections visible in the connection diff are the execution infrastructure (pid=1088, present before installation). Background OS connections to Canonical servers are normal. No unexpected outbound connections attributable to skill installation.

INFO Canary file accesses are monitoring-framework artefacts, not skill behaviour 0

auditd PATH records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at two points in the audit window. The first batch appears at timestamp 1771940961.228, roughly 15 seconds before the git clone begins (1771940966.703), indicating these are the monitoring framework's baseline canary reads. The second batch at 1771940977.738 shows all six files accessed at the identical sub-second timestamp, consistent with a programmatic integrity scan rather than organic file access. The framework's canary integrity check confirms all files are intact.

INFO Explicit safety gates reduce prompt-injection attack surface 0

The skill documents five mandatory safety gates that constrain agent behaviour: treating dependencies as untrusted, inspecting package manifests before installation, requiring explicit user approval before privileged actions, preferring non-privileged execution paths, and prohibiting curl|bash. These gates reduce the likelihood that an agent would be led into unsafe actions by ambiguous user input.