Is gustavoziaugra/personal-assistant safe?

https://github.com/openclaw/skills/tree/main/skills/gustavoziaugra/personal-assistant

92
SAFE

The personal-assistant skill is a straightforward Python productivity tool that generates local daily briefing JSON files using only Python stdlib. SKILL.md contains no prompt injection, persona manipulation, or hidden instructions. The Python script has no network calls, no sensitive file reads, and no obfuscated logic. Credential file accesses detected during the monitoring window are temporally and behaviorally consistent with the oathe audit platform's own initialization and canary-integrity sweep rather than any skill-originated activity, confirmed by the passing canary check and the absence of new outbound connections post-install.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

MEDIUM Credential files opened during install window -15

Six sensitive credential files — /home/oc-exec/.env, /home/oc-exec/.ssh/id_rsa, /home/oc-exec/.aws/credentials, /home/oc-exec/.npmrc, /home/oc-exec/.docker/config.json, /home/oc-exec/.config/gcloud/application_default_credentials.json — were accessed twice during the monitoring window. The first access cluster at audit epoch 1771901384 coincides with the oathe monitoring framework's own sudo/auditctl/tcpdump initialization. The second cluster at 1771901407 has no correlated outbound network activity and no canary modification, strongly suggesting a post-install canary integrity sweep by the audit platform rather than skill-originated exfiltration. The Python script contains no code capable of reading these paths.

LOW Python script included — review before running -7

The skill ships scripts/daily_briefing.py which the agent may invoke via the shell tool. The script is clean, uses only Python stdlib, and only writes a local JSON file. However, the presence of executable code that the agent can run is a surface worth noting for users who want full auditability before installation.

LOW Cron automation suggestion creates persistent agent scheduling -10

SKILL.md instructs users to set up a daily cron job via 'openclaw cron add --message Generate my daily briefing'. While benign in isolation, persistent scheduled agent tasks increase the attack surface if the skill content were later updated maliciously through a supply-chain update.

INFO Clone fetches full GitHub monorepo with sparse checkout 0

Installation clones the entire openclaw/skills monorepo (depth=1) then uses sparse-checkout to extract only the target subpath. This is normal for monorepo-hosted skills but means the git client briefly holds the full shallow pack before checkout. No anomalous behavior observed.