Is jacob-bd/the-openclaw-optimizer safe?

https://github.com/jacob-bd/the-openclaw-optimizer

90
SAFE

This skill contains an empty SKILL.md file, rendering it functionally inert when installed. While executable scripts are present in the repository, they cannot be activated due to the empty skill definition. No malicious behavior was detected during installation.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

INFO Empty SKILL.md file 0

The SKILL.md file is completely empty (0 bytes), meaning no instructions would be injected into the agent's system prompt. This actually makes the skill safer as it cannot perform any actions.

MEDIUM Executable shell scripts present -25

The skill contains executable shell scripts (update-skill.sh, install.sh) that could potentially execute code. However, since SKILL.md is empty, these scripts are not referenced or activated by the skill system.

LOW Sensitive file access during installation -15

System processes accessed sensitive files (.env, SSH keys, AWS credentials) during the git clone operation. This appears to be normal system behavior and no data exfiltration was detected.

LOW Git clone failure -5

The git clone operation failed because the destination directory already existed from a previous attempt. This is not malicious behavior.