Is infantlab/god-mode safe?

https://github.com/openclaw/skills/tree/main/skills/infantlab/god-mode

78
CAUTION

god-mode is a developer dashboard skill whose primary risk surface is its stated core capability: reading, caching, and LLM-analyzing agent instruction files (CLAUDE.md, agents.md, copilot-instructions.md) from all configured GitHub repositories. No credential exfiltration, external phone-home behavior, or malicious SKILL.md injection was detected, and canary files were untouched by the skill. However, the skill stores the full plaintext content of agent instruction files in a local SQLite database, uses an unaudited LLM prompt (prompts/agent-analysis.md) to generate agent behavior modification suggestions, promotes persistent automated workflows, and contains SQL injection vulnerabilities throughout its database layer due to unsanitized string interpolation. The skill is not overtly malicious but represents meaningful risk for users whose CLAUDE.md or agents.md files contain sensitive system context, and its broad gh CLI inheritance combined with the unreviewed analysis prompt warrants careful review before installation.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (8)

HIGH Agent instruction files fetched from GitHub and stored in local SQLite cache -15

The god agents analyze command fetches CLAUDE.md, agents.md, .github/copilot-instructions.md, and similar files from GitHub using the gh API, base64-decodes them, and stores the full plaintext content in ~/.god-mode/cache.db. These files routinely contain internal system prompt configurations, API references, security policies, and architectural context users consider sensitive. The stored content persists indefinitely and is accessible to any process that can read the SQLite file.

HIGH Persistent automated monitoring and agent-coaching workflows promoted -20

SKILL.md includes ready-to-use HEARTBEAT.md and cron schedule templates that instruct the AI agent to autonomously run god status and god agents analyze on a weekly schedule. If a user adopts these templates, the agent will silently collect repository data and generate agent instruction modifications without explicit per-run authorization. The LLM prompt driving the analysis (prompts/agent-analysis.md) was not exposed for content review.

MEDIUM SQL injection via unsanitized external data in all database operations -12

db.sh constructs every SQL statement via direct shell string interpolation with only single-quote doubling as sanitization. Commit SHA, author names, commit messages, project IDs, and search strings from config are all interpolated directly. A repository with crafted commit messages or branch names could corrupt or manipulate the local SQLite cache. Parameterized queries are never used.

MEDIUM Unaudited LLM prompt drives agent instruction modification suggestions -15

All agent coaching output is generated by an LLM using prompts/agent-analysis.md as the system prompt. This file was present in the skill and read during the audit session but its content was not included in the evidence. The prompt controls how commit patterns are interpreted and how modification suggestions are framed. A malicious prompt could subtly bias suggestions toward loosening safety constraints, adding tool permissions, or restructuring agent instructions in attacker-favorable ways.

MEDIUM Skill inherits full gh CLI authentication scope across all user repositories -10

The skill uses the user's existing gh CLI authentication for all operations. This grants access to every repository the user can read, including private and organization repositories. The sync and agents analyze commands can be pointed at any accessible repo, not just those explicitly configured. There is no scope restriction mechanism in the skill code.

LOW Outbound TLS connection to GitHub during installation -5

Installation initiates an HTTPS connection to github.com (140.82.121.3:443) to perform a sparse git checkout of the openclaw/skills monorepo. This is expected for the distribution mechanism but confirms that the installed code originates from a remotely-hosted, author-controlled repository and that installation requires network access.

LOW Canary credential files accessed in read-only mode by monitoring framework -5

Auditd records show two access events on the six canary credential files. The first set occurs at timestamp 1771933290 (before the git clone at 1771933296), consistent with the monitoring framework placing canary files. The second set at 1771933308 (after skill file enumeration ends) is consistent with post-install integrity verification. No write syscalls observed. No skill code references credential file paths.

INFO No external exfiltration endpoints detected in code or network traces 0

Complete review of all shell scripts reveals no curl, wget, nc, or other outbound network calls beyond invocations of gh CLI and sqlite3. Network monitoring confirms all external connections during the monitored window were to github.com and Canonical infrastructure. The post-install connection diff shows a clean state with no persistent outbound connections.