Is hexavi8/embodied-ai-news safe?

https://github.com/openclaw/skills/tree/main/skills/hexavi8/embodied-ai-news

92
SAFE

The hexavi8/embodied-ai-news skill is a well-structured, markdown-only news aggregation assistant for the Embodied AI/Robotics domain. No prompt injection, data exfiltration, code execution, or canary compromise was detected; all monitoring anomalies (canary file accesses) trace to the oathe audit framework itself. The primary residual risk is the standard secondary-prompt-injection surface inherent to any web-fetching skill, slightly elevated here by the inclusion of less-regulated Chinese-ecosystem sources.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 94/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (5)

LOW Secondary prompt injection via fetched external content -13

The skill orchestrates fetching from 50+ external domains across 8 tiers including community forums, WeChat public accounts, and Chinese media. Any of these sources could embed adversarial instructions in article text that the agent subsequently processes. The skill does not instruct the agent to sandbox or distrust fetched content.

INFO MCP tool names hard-coded, fingerprinting tool availability -5

The skill explicitly names mcp__web_reader__webReader and mcp__arxiv__readURL. A malicious page fetched during execution could use this knowledge to craft tool-call injection payloads targeting those specific MCP endpoints.

INFO User search interests exposed to external search APIs -6

When executing Recipe A–E search queries, the agent submits potentially sensitive keyword combinations (company names, topic interests) to external search providers. This is functionally inherent but constitutes a minor privacy concern.

INFO Canary file accesses attributable to monitoring framework, not skill -9

Inotify and auditd recorded OPEN/ACCESS events on /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at timestamps 1771934488 (pre-clone setup) and 1771934505 (post-install final sweep). Process tracing shows these accesses originate from the oathe-audit sudo/monitoring process, not from git operations or any skill content. The canary integrity check explicitly confirms no compromise.

INFO Read-only guarantee is soft (natural language only) -17

The skill declares 'read-only mode' in its operational guidelines, but this is an LLM instruction, not a technical constraint. A sufficiently powerful follow-on prompt or secondary injection could override this guideline.