Is gumadeiras/pet safe?

https://github.com/openclaw/skills/tree/main/skills/gumadeiras/pet

94
SAFE

The gumadeiras/pet skill is a minimal, benign documentation wrapper for the open-source 'pet' CLI snippet manager. SKILL.md contains no executable code, no prompt injection vectors, no data-exfiltration directives, and no hidden instructions. All anomalous file accesses observed in monitoring are attributable to the oathe framework's own canary verification routines, not to skill-spawned processes. The only material risk is indirect: the documented 'pet sync' feature can push snippet data to GitHub Gist if the user configures it, and 'pet exec' can run stored commands — both of which require explicit user action and are standard, transparently documented behaviors of the underlying tool.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW pet sync can transmit snippet data to GitHub Gist -10

The documented 'pet sync' subcommand pushes the full snippet store (~/.config/pet/snippet.toml) to a user-configured GitHub Gist. If a user stores sensitive command outputs as snippets and has Gist sync configured, this data leaves the host. The skill documents this feature transparently and it is entirely opt-in.

LOW pet exec enables stored command execution -15

The 'pet exec' command executes a snippet from the store directly. In an agentic context, if an attacker pre-populated the snippet store (e.g., via another compromised skill or direct filesystem write), subsequent 'pet exec' invocations could run arbitrary commands. This is low-severity because it requires prior filesystem compromise and explicit user/agent invocation.

INFO OpenClaw gateway establishes outbound connections post-install -10

After skill installation, the openclaw-gatewa process (PID 1086) has established TLS connections to 44.214.208.192:443 and 104.16.10.34:443 and opened TCP listeners on 127.0.0.1:18790/18793. These are consistent with the OpenClaw infrastructure and not attributable to the pet skill.

INFO Canary files opened by monitoring framework pre/post-install -3

Auditd PATH records show all six canary files opened in two synchronized sweeps at timestamps 1771953299 (pre-install) and 1771953318 (post-install). The symmetric pattern and timing strongly indicate the oathe monitoring framework's own canary verification routines, not the skill. Canary integrity confirmed intact.