Is jatin-31/og-board-individual safe?

https://github.com/openclaw/skills/tree/main/skills/jatin-31/og-board-individual

94
SAFE

The og-board-individual skill is a pure markdown documentation file with no executable code, no prompt injection attempts, no git hooks or submodules, and no malicious network behavior. Sensitive credential file reads detected during the audit session are attributable to the OATHE audit infrastructure (pre-install canary baseline and post-install check) based on timing analysis — all accesses precede the git clone or occur in the post-install teardown phase, and all canary files remain intact. The skill's only meaningful risk is inherent to external task management integrations: task content from the opengoat server is untrusted input, and artifact/worklog tools create a data-out channel.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (5)

INFO Credential files read by audit infrastructure -8

Six sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at audit timestamps 1771940600.966 and 1771940623.259. The first access occurs before the git clone (which begins at 1771940606.487), placing it squarely in the OATHE pre-install setup phase. The second access occurs post-install and aligns with a post-install canary integrity check cycle. All canary files are confirmed intact with no modification or exfiltration detected. The reads are attributed to the OATHE audit framework, not to the skill.

LOW Task artifact/worklog tools transmit data to external opengoat service -5

The skill's opengoat_task_add_artifact and opengoat_task_add_worklog tool calls send free-form content strings to an external task management server. In a scenario where an attacker controls both a skill that reads sensitive files and this task management skill, artifacts could be used as an exfiltration channel. On its own this is expected behavior for a task management integration.

LOW Second-order injection via task content from opengoat server -5

Task data fetched via opengoat_task_get and opengoat_task_list originates from an external server not under the user's control. A compromised or malicious opengoat server could embed prompt injection payloads in task titles, descriptions, or blocker fields that the agent would then process. The skill itself contains no injection; the risk is inherited from the external data source.

INFO Normal PAM/system reads during sudo-based installation -3

The install process invoked sudo, triggering standard Linux PAM authentication reads of /etc/pam.d/, /etc/security/, /etc/modprobe.d/, /etc/nsswitch.conf, and SSH host key files. These are expected system-level reads for any sudo invocation and are not attributable to the skill content.

INFO External task server trust dependency -10

This skill is only as safe as the opengoat task server it connects to. If the task server is attacker-controlled, it can deliver arbitrary content in task fields. Combined with skills that perform filesystem or network operations, a malicious task server could orchestrate complex attack chains. Standalone, this skill is benign documentation.