Is ivy-end/meihua-yishu safe?

https://github.com/openclaw/skills/tree/main/skills/ivy-end/meihua-yishu

90
SAFE

The meihua-yishu skill is a traditional Chinese divination calculator with a clean, narrow-scope Node.js implementation that performs only in-memory date arithmetic and produces JSON output with no network calls, file access, or dangerous operations. The main concerns are minor: a developer workspace lock.json was accidentally bundled in the package (leaking their skill state), a hardcoded installation path in SKILL.md could cause silent failures in non-standard deployments, and several sensitive credential files were opened during the install window by processes most likely attributable to the openclaw-gateway infrastructure rather than the skill itself. All canary honeypots remained intact.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (5)

LOW Sensitive credential files accessed during install window (unattributed) -10

Audit PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at timestamps 1771917112.900 and 1771917120.466 — during the git clone/download phase. The pre-install (1771917103) and post-install (1771917126) access clusters match the oathe canary baseline scans. The mid-install accesses most likely originate from the openclaw-gateway background process but cannot be definitively attributed without per-process filtering. The skill code contains no logic to read these files.

LOW Developer workspace lock file bundled inside skill package -5

.clawhub/lock.json is included inside the distributed skill package and lists a separate skill (academic-research-hub v0.1.0, installedAt 1770957475341) as if it were a dependency. This file appears to be the developer's own workspace state accidentally committed. No skill code reads this file, but it leaks information about the developer's installed skill environment and could confuse skill managers into treating it as an authoritative dependency declaration.

LOW Hardcoded absolute execution path in SKILL.md -5

SKILL.md instructs the agent to invoke the script via node /root/clawd/skills/meihua-yishu/scripts/meihua.js. This assumes a specific installation directory (/root/clawd/). If the skill is installed elsewhere, the agent may attempt to execute a non-existent or attacker-controlled path. The risk is low because the script itself is benign and no privilege escalation is possible through this path alone.

INFO Post-install openclaw-gateway connections to AWS endpoints 0

Two new ESTABLISHED TCP connections to AWS IPs (44.214.208.192:443, 54.211.197.216:443) appear in the post-install netstat diff, owned by the openclaw-gatewa process (pid 1100). This process was present before installation. These connections are platform infrastructure, not caused by the skill.

INFO Skill ships executable Node.js script — disclosed and benign 0

scripts/meihua.js is a 90-line Node.js script that performs modular arithmetic on hour/minute inputs to derive I-Ching hexagram indices and outputs JSON. No require() beyond built-ins, no network calls, no file I/O. The script is fully disclosed in SKILL.md.