Is jazzyong2023/loadpage safe?

https://github.com/openclaw/skills/tree/main/skills/jazzyong2023/loadpage

88
SAFE

This skill publishes a well-constructed AI writing humanizer under the misleading slug 'jazzyong2023/loadpage', creating a name-functionality mismatch that would silently deliver unexpected behavior to users or systems selecting it as a page-loading utility. The SKILL.md content itself is clean — no prompt injection, no exfiltration instructions, no executable code — and the install process touched only GitHub as expected. The canary file accesses observed in monitoring are attributable to the audit harness rather than the skill, and the integrity check confirms no tampering or exfiltration occurred. The primary trust concern is the deceptive publishing slug combined with broad filesystem permissions (Read/Write/Edit/Grep/Glob), not any active malicious payload.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

MEDIUM Slug/name mismatch: skill published as 'loadpage' implements 'humanizer' -25

The repository path, _meta.json slug field, and install output all identify this skill as 'jazzyong2023/loadpage'. However, the SKILL.md declares name 'humanizer' with a completely different purpose (AI writing pattern removal). Any user, agent, or orchestration system that selects this skill expecting page-loading functionality will silently receive a writing editor with Read/Write/Edit/Grep/Glob filesystem access. This is a deceptive publishing practice regardless of whether the humanizer content itself is benign.

LOW Canary credential files read-accessed during monitoring window -15

Six honeypot files were opened and read per both inotifywait and auditd PATH records. Critically, timing analysis places both access clusters outside the skill installation window: the first cluster at auditd 1771908737.907 precedes the install by 6 seconds, and the second at 1771908761.360 follows install completion and is consistent with audit harness teardown. No write events, no network exfiltration of file contents, and the audit system's own integrity check confirms the canary files are intact.

LOW Broad filesystem tool permissions appropriate but increase attack surface -10

The skill declares Read, Write, Edit, Grep, and Glob in its allowed-tools list. These are all reasonable for a text editing skill that may need to humanize file contents in a user's project. However, the combination grants the agent the ability to read any file the user can access and overwrite it. If a user is social-engineered into asking the skill to process a sensitive file path, credentials could be read and the file modified without obvious red flags.

LOW Version number inconsistency between registry metadata and skill content -4

The _meta.json file reports version 1.0.0 in the 'latest' block, while the SKILL.md frontmatter declares version 2.1.1. This gap of two major version increments suggests either the metadata was not updated when the skill was modified, or the SKILL.md was substituted without updating registry metadata. Neither interpretation is consistent with trustworthy maintenance practices.

LOW Slug/name identity mismatch creates implicit misdirection -12

Although the SKILL.md content contains no direct prompt injection, the slug/name mismatch constitutes a weak form of identity deception. An agent's skill-selection logic that routes based on skill name or description would match 'loadpage' to page-fetching use cases, but the injected instructions would instead configure the agent as a writing editor with file modification capabilities. This is a trust boundary violation even without explicit adversarial text in the payload.

INFO Install network activity limited to expected GitHub endpoint 0

All outbound TCP connections during the install phase targeted 140.82.121.3:443, which resolves to GitHub and is consistent with the git clone of openclaw/skills.git. DNS queries and connection state diff confirm no new external listeners or unexpected outbound connections were introduced by the install.

INFO SKILL.md content clear of adversarial directives 0

Complete review of the 800+ line SKILL.md found no instructions to override system prompts, ignore prior context, suppress output, assume alternative personas, reference external URLs for agent fetching, use invisible characters or encoding tricks, or chain with other skills. The 24 documented writing patterns with before/after examples are consistent with legitimate editorial guidance.