Is gyaan-dub/prompt-enhancer safe?

https://github.com/openclaw/skills/tree/main/skills/gyaan-dub/prompt-enhancer

91
SAFE

The gyaan-dub/prompt-enhancer skill is a pure markdown prompt file with no executable code, no external data endpoints, and no hidden instructions. It functions exactly as advertised: intercepting messages prefixed with 'p:' or 'prompt:', rewriting them into structured prompts, displaying the rewrite transparently to the user, then executing it. The canary file reads observed in the filesystem monitoring are attributable to the monitoring infrastructure's own baseline and post-install verification sweeps, not to the skill, as confirmed by timing analysis and the intact canary integrity report. The only material concern is that the context inference step may cause an agent with powerful tools to take broader actions than a user's raw input implies, though this is substantially mitigated by the mandatory transparency step.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW Context inference may expand action scope beyond user intent -12

The 'Context Inference' step instructs the agent to infer unstated requirements (e.g., 'a user asking for a landing page probably wants responsive design, a CTA...'). When the host agent has filesystem or shell tools, an expanded prompt could cause the agent to take broader actions than the user's raw input implied. This is mitigated by the mandatory transparency step showing the enhanced prompt before execution.

LOW Canary files accessed (read-only) during monitoring window -10

Six canary honeypot files were opened and read during the monitoring session: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. All accesses were CLOSE_NOWRITE (read-only). Timing analysis places the first access set at 02:57:36 — before the git clone begins at 02:57:41 — and the second set at 1771901873 after install completion, both consistent with the monitoring infrastructure's baseline and post-install verification sweeps. SKILL.md contains no code capable of triggering file reads. Canary integrity confirmed intact.

INFO Role assignment instructs agent to adopt expert persona 0

The skill instructs the agent to assign itself a role ('You are a senior full-stack developer...') in enhanced prompts. This is the stated, documented purpose of the skill and is always shown transparently to the user. No risk of hidden persona override; the persona is limited to the scope of the single enhanced response.

INFO No executable code — skill is pure markdown 0

The skill package contains only SKILL.md and _meta.json. No scripts, no package.json, no git hooks, no submodules, no symlinks. The installation process involved only file copies. No code was executed from the skill package at any point.

INFO Network activity limited to GitHub and pre-existing Canonical connections 0

The only external HTTPS connection attributable to the skill installation was to GitHub (140.82.121.3:443) for the git clone of the openclaw/skills monorepo. Ubuntu/Canonical connections (91.189.91.49, 185.125.188.54) were present before the clone and represent the monitoring environment baseline. Post-install connection diff shows no new listeners or outbound connections.