Is jbenjoseph/refua safe?

https://github.com/openclaw/skills/tree/main/skills/jbenjoseph/refua

94
SAFE

The jbenjoseph/refua skill is a clean, documentation-only skill file containing no executable code, no prompt injection attempts, no hidden instructions, and no adversarial content. The SKILL.md legitimately describes a bioinformatics drug discovery workflow using the Refua/Boltz2 protein folding system via a local MCP server. Sensitive credential file access events detected during monitoring are attributable to the Oathe audit infrastructure (inotifywait setup and canary verification), confirmed by timing analysis and the passing canary integrity check. The primary residual concern is the supply chain dependency on the external refua-mcp PyPI package, which should be independently verified by operators before deployment.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

LOW Canary credential files accessed during monitoring window -7

Inotify and auditd records show OPEN/ACCESS events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at timestamps 1771923331 (before git clone) and 1771923348 (after installation completes). Timing, process context, and the passing canary integrity check strongly indicate these are attributable to the Oathe audit framework's inotifywait setup and end-of-test integrity verification, not to the skill.

LOW Runtime dependency on unaudited external MCP server package -22

SKILL.md directs operators to pip install refua, refua[cuda], and refua-mcp from PyPI, and to run the MCP server locally. The security posture at runtime is contingent on the supply chain integrity of these packages (agentcures/refua-mcp). This skill audit covers only the SKILL.md injection surface, not the downstream Python packages.

INFO External GitHub URLs referenced in SKILL.md -5

SKILL.md links to github.com/agentcures/refua-mcp three times as installation documentation. These are standard markdown hyperlinks in operator-facing install instructions and contain no instructions for the agent to fetch them autonomously.

INFO Pip install instructions for external packages -2

SKILL.md instructs operators to install external PyPI packages. This is installation documentation for a skill that requires an MCP server backend, not a code-execution risk within the skill itself.

INFO Ubuntu infrastructure connections present at baseline -8

Three established TCP connections to Canonical/Ubuntu IP ranges (91.189.91.48, 185.125.188.57, 185.125.188.59) appear in BEFORE state and resolve by AFTER state. These are pre-existing system-level connections unrelated to skill installation.