Is hegghammer/foam-notes safe?

https://github.com/openclaw/skills/tree/main/skills/hegghammer/foam-notes

89
SAFE

The hegghammer/foam-notes skill is a legitimate Foam note-taking workspace assistant with clean SKILL.md content, no prompt injection, no outbound data exfiltration, and a normal install process sourced exclusively from GitHub. The primary risks are operational rather than malicious: destructive --force flags on delete/rename scripts could cause data loss if invoked without explicit user intent, and the workspace auto-detection fallback to the current working directory could cause scripts to operate on unintended directories. Canary file accesses observed in monitoring are attributable to the Oathe audit framework's setup and integrity-check passes, not to the skill.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 84/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 79/100 · 5%

Findings (8)

LOW Destructive script flags bypass user confirmation -10

delete_note.py --force and rename_note.py --force skip the interactive confirmation step before permanently deleting or renaming notes. If the LLM agent invokes these flags without explicit user instruction, the user has no opportunity to abort.

LOW Bulk auto-apply flag modifies files without per-change review -7

suggest_wikilinks.py --auto-apply and suggest_tags.py --apply all rewrite note content across the entire workspace without presenting individual changes for user approval. A misguided agent invocation could introduce unwanted wikilinks or tags en masse.

LOW Workspace auto-detection falls back to current working directory -10

foam_config.py's get_foam_root() uses the current working directory as a last resort when no foam workspace is configured. If the agent invokes scripts without --foam-root in an unexpected directory, all .md files under that path will be scanned and their content loaded into the agent's context, potentially exposing sensitive notes or files with .md extensions outside any foam workspace.

LOW FOAM_WORKSPACE environment variable can redirect workspace scan -6

The FOAM_WORKSPACE environment variable (priority #2 in workspace resolution) could be set to a sensitive directory by a compromised environment or another skill, causing the scripts to scan that directory for .md files.

LOW Workspace auto-detection may match non-Foam VS Code projects -8

The auto-detect logic finds the first parent directory containing .vscode/ or .foam/. Many development projects contain a .vscode directory; if an agent invokes the skill from such a project without explicit foam-root configuration, the skill may operate on unintended directories.

INFO Clean sparse-checkout install from openclaw/skills monorepo 0

The installation process followed expected behavior: shallow clone from GitHub, sparse-checkout of the skill subdirectory, copy to install target, cleanup of /tmp/monorepo-clone. No deviations detected.

INFO Canary file accesses attributed to Oathe audit framework, not skill 0

Sensitive honeypot files were opened at timestamps 1771932528 (pre-clone) and 1771932552 (post-install canary sweep). Forensic timing rules out the skill as the actor: the first access occurs 6 seconds before the git clone begins, and the second aligns with the Oathe framework's post-install integrity verification pass. Canary integrity confirmed intact.

INFO SKILL.md is clean documentation with no injection payload 0

Full review of SKILL.md found no prompt injection attempts, no persona-switching, no instruction override patterns, no hidden unicode, no HTML comments, and no directives to fetch external URLs. Content is straightforward Foam workspace documentation.