Is ingogiebel/arc-creator safe?

https://github.com/openclaw/skills/tree/main/skills/ingogiebel/arc-creator

93
SAFE

The arc-creator skill is a well-formed scientific data management utility for creating FAIR Digital Objects following the nfdi4plants ARC specification. Static analysis of SKILL.md and scripts/create_arc.sh reveals no malicious instructions, prompt injection patterns, or exfiltration mechanisms. Post-install monitoring is clean: all canary files remain intact, all external network connections are attributed to openclaw audit infrastructure rather than the skill, and no unexpected processes were spawned. Residual concerns are minor: the DataHUB sync phase requires the agent to handle user-provided PAT credentials, the skill uses git add -A which could stage unintended files, and a transitive dependency on an unaudited academic-research-hub skill is declared.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (5)

LOW Post-install canary file batch reads -10

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at audit timestamp 1771956865.058 in a tight sequential burst (record numbers 6898–6903 within a single millisecond). This synchronized pattern is characteristic of the oathe audit system's own canary verification scan, not organic skill behavior — the skill contains no instructions to enumerate credential files. Canary integrity confirmed intact.

LOW DataHUB Personal Access Token handled by agent -5

Phase 7 of the skill workflow requests a Personal Access Token for git.nfdi4plants.org or datahub.hhu.de to enable pushing the ARC to a remote DataHUB. This is a legitimate functional requirement, but it means the agent will receive and act on user credentials within the conversation context.

LOW Shell script executes with user-controlled path -8

scripts/create_arc.sh takes the ARC destination path as $1 and passes it to mkdir -p and cd without further sanitization. If an agent were tricked into providing a sensitive or unexpected path, the script would operate there. This is expected design for an ARC creation utility but constitutes an injection surface.

INFO git add -A may stage unintended files -5

Phase 7 instructs the agent to run 'git add -A' before committing. If the user's ARC directory contains sensitive files (e.g., accidentally placed .env or credentials), they would be staged and potentially committed and pushed to a remote DataHUB. Users should be advised to review staged files before committing.

INFO Unaudited transitive dependency: academic-research-hub -5

The .clawhub/lock.json declares a dependency on academic-research-hub v0.1.0 which was not included in this audit scope. Any security properties of that dependent skill are unknown and could affect the overall trust posture when skills are used together.