Is halbotley/duely safe?

https://github.com/openclaw/skills/tree/main/skills/halbotley/duely

95
SAFE

The halbotley/duely skill is a minimal, documentation-only SKILL.md with no executable code, no prompt injection vectors, no data exfiltration instructions, and no malicious git artifacts. The sensitive file reads observed in monitoring predate the skill clone by six seconds and recur post-install, identifying them as sandbox infrastructure baseline scans rather than skill-triggered access — a conclusion confirmed by the canary integrity check. The only substantive notes are the use of a third-party Homebrew tap for the runtime binary and a legitimate-but-autonomous agent integration pattern inherent to any task scheduler.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

INFO Canary file reads attributed to sandbox infrastructure, not skill 0

Sensitive canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were read-opened at 09:18:00, six seconds before the git clone of the skill began (09:18:06). The same files were re-read at 09:18:19 after skill installation completed. This timing, combined with the all-files-at-once pattern and the confirmed canary integrity, indicates these are sandbox baseline/final-state reads by the monitoring framework itself rather than skill-triggered access.

LOW Runtime binary sourced from third-party Homebrew tap -3

The skill requires halbotley/tap/duely, a Homebrew formula maintained by the skill author outside the Homebrew core. The tap's security posture is not evaluated by this audit.

LOW Autonomous agent task execution model without per-task confirmation -4

The skill documents an agent integration pattern that checks for due tasks and marks them complete without explicit user confirmation per-task. This is a legitimate design choice for a task scheduler but means an agent following this skill will take actions autonomously.

INFO All network activity during install is accounted for and benign 0

Only GitHub (140.82.121.3:443) was contacted during the install window. No unexpected external endpoints. No new listening ports were opened. Filesystem changes are limited to exactly two expected files.