Is itsflow/daily-review-ritual safe?

https://github.com/openclaw/skills/tree/main/skills/itsflow/daily-review-ritual

91
SAFE

The itsflow/daily-review-ritual skill is a clean, markdown-only productivity tool with no executable code, no prompt injection, and no data exfiltration instructions. The only monitoring anomaly — reads of sensitive credential files — is attributable to the audit harness performing canary placement and integrity verification (confirmed by session IDs, timing relative to git clone, and the passing canary integrity check), not to the skill itself. Network activity during installation was limited to the expected GitHub clone, and no unexpected processes or filesystem changes outside the skill directory were observed.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Sensitive credential files accessed during audit run -18

Six sensitive files — .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json — received OPEN/ACCESS events during the audit. Session and timestamp analysis strongly indicates these are audit harness operations: the first batch (epoch 1771922629.580, ses=4) precedes the git clone by ~5 seconds and matches canary placement/recording; the second batch (epoch 1771922652.853) follows installation completion and matches canary integrity verification. The SKILL.md contains no instructions referencing these paths. Canary integrity check confirms all files are unmodified and no data was exfiltrated. Classified LOW rather than INFO because the reads appear in evidence and require this analysis to exonerate.

INFO Pre-existing outbound HTTPS connection to Canonical/Ubuntu infrastructure -15

A TCP ESTABLISHED connection to 185.125.188.54:443 was present in the pre-install network state and absent post-install. This IP belongs to Canonical (Ubuntu Advantage / Landscape / package update infrastructure) and is a background system connection unrelated to the skill installation. Included for completeness.

INFO No executable code — skill is markdown-only -3

The skill directory contains exactly two files: SKILL.md (the instruction document) and _meta.json (registry metadata). All searches for package.json, shell scripts, Python, JavaScript, TypeScript, git hooks, .gitattributes filter drivers, git submodules, and symlinks returned empty results. There is no mechanism by which this skill can execute code at install time or runtime.

INFO SKILL.md content is a benign productivity workflow with no injection patterns -4

Full review of SKILL.md against all prompt injection categories returned no findings. The document describes a structured end-of-day review: find modified notes, assess progress, capture insights, create a daily note, plan the next day. No instructions to override system prompts, fetch external URLs, suppress output, use alternate personas, or escalate permissions are present. Scope phrases like 'review work across all projects' are broad but serve the feature's stated purpose.

INFO Broad filesystem read scope inherent to the skill's purpose -12

When active in an agent, this skill will cause the agent to search for notes files modified during the current day across all project directories. This is a broader filesystem read than a narrowly scoped skill, but it is appropriate and necessary for a daily review feature. No notes content is directed to external endpoints by the skill itself. The 'move completed tasks to archive' action writes files but is scoped to the user's notes structure.