Is hogpile/intelligent-delegation safe?

https://github.com/openclaw/skills/tree/main/skills/hogpile/intelligent-delegation

89
SAFE

The intelligent-delegation skill is a well-structured, documentation-oriented framework for AI-to-AI task delegation with no prompt injection, no malicious code, and a clean install profile. Its two Python utilities are legitimate tools with one moderate design-level concern: verify_task.py's manifest mode can read arbitrary file paths if fed an attacker-controlled manifest, though no exfiltration path exists within the tool itself. The skill's recommended protocol of creating cron jobs per task and maintaining persistent workspace logs is operationally noisy but not a security threat.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM verify_task.py manifest mode allows arbitrary file path reads -12

The --check all --manifest flag in verify_task.py loads a caller-supplied JSON file and dispatches any supported check (file_exists, valid_json, min_size, markdown_sections, sqlite_rows) against any specified path without path restriction or allowlist. If an agent invokes this tool with a manifest supplied or influenced by a malicious source, the tool will open and surface contents of arbitrary files including credentials, SSH keys, or environment files. No exfiltration path exists within the tool itself, but the output is returned to the invoking agent.

LOW SQL injection surface in verify_task.py sqlite_rows check -8

The check_sqlite_rows function constructs a SQLite query using an f-string with the table name sourced from the manifest: f"SELECT COUNT(*) FROM [{table}]". Square bracket quoting is a SQLite identifier quoting mechanism that mitigates straightforward injection but does not fully prevent all injection patterns. The table name is not validated against a schema or allowlist.

LOW Unbounded cron job creation per delegated task -15

Phase 1 of the skill protocol explicitly instructs agents to schedule a one-shot cron job for every background task to ensure follow-up. In practice, a busy agent following this protocol could accumulate dozens of cron entries that are not automatically cleaned up on task completion, creating operational noise and a minor persistence footprint.

LOW Persistent cross-session workspace files record agent activity history -8

The skill instructs agents to create and maintain TASKS.md, HEARTBEAT.md, and memory/agent-performance.md as long-lived logs. These files accumulate delegated task history, agent performance ratings, and session identifiers. Any process or skill with filesystem read access can passively harvest this operational intelligence.

INFO inject: false prevents automatic system-prompt injection 0

The SKILL.md frontmatter explicitly declares metadata.openclaw.inject as false. This is a positive safety signal indicating the skill is opt-in reference documentation rather than an automatic system-prompt modifier that activates without user consent.

INFO Canary file accesses are monitoring framework pre/post snapshots 0

The inotifywait log and auditd PATH events show the canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) being opened at 1771902499 (pre-install) and 1771902522 (post-install). All events show CLOSE_NOWRITE and are temporally correlated with the monitoring infrastructure's integrity snapshot process, not with any skill-installed code. The monitoring framework confirmed all files intact.