Is jd2005l/opencortex safe?

When the optional git backup feature is enabled during installation, a crontab entry is added that runs git add -A, commits, and pushes to the user-configured git remote every 6 hours without further confirmation. Workspace files committed include memory/projects/*.md (project history), INFRA.md (infrastructure details), TOOLS.md (credentials in direct mode), USER.md (user preferences and decisions), and conversation summaries. If the remote is a public repository, misconfigured access controls, or the remote credentials are later compromised, all accumulated operational memory is exposed. The oathe monitoring confirms the skill makes no unauthorized network calls itself, but the feature installs infrastructure that creates ongoing external data transmission.

The opt-in voice profiling feature creates VOICE.md and instructs the daily distillation cron to analyze all conversation logs to extract the user's vocabulary, tone, phrasing patterns, and decision-making style. The skill explicitly states this is for 'ghostwriting on their behalf (community posts, emails, social media).' When combined with git backup, this behavioral model is pushed to an external remote every 6 hours. Beyond the privacy implications, this data asset could enable sophisticated social engineering if the remote is accessed by a third party.

When the user selects 'direct' (non-vault) secret mode during installation, the distillation cron message instructs the agent to document all new tools and APIs to TOOLS.md without any instruction to avoid writing sensitive values. In contrast, the secure mode message explicitly states 'IMPORTANT: Never write passwords, tokens, or secrets into any file.' In direct mode, API keys, SSH credentials, and access tokens encountered during agent conversations are routed to TOOLS.md in plaintext and subsequently committed and pushed via git backup.

The git backup feature modifies the user's system crontab by appending a new entry via 'crontab -l | ... | crontab -'. This creates a persistent scheduled task running every 6 hours as the user. Once installed, the cron runs git-backup.sh regardless of whether the user is aware of or has reviewed recent changes to the workspace. Subsequent modifications to git-backup.sh by the agent or another process would take effect at the next scheduled run without user re-confirmation.

The installer registers two OpenClaw cron jobs with embedded instruction strings exceeding 1500 characters each that direct agent sessions to read all workspace files, route information between files, build runbooks from detected patterns, and audit tool documentation. These instructions run autonomously in isolated sessions without per-run user approval and persist across reinstallations. While using the legitimate cron mechanism, this represents persistent behavioral instruction injection at the infrastructure level.

The git-backup.sh script uses 'git add -A' which stages all modified, deleted, and untracked files in the workspace. Only .vault/ and .secrets-map are gitignored. Any other sensitive files placed in the workspace (private keys, config files, downloaded credentials) that are not explicitly added to .gitignore will be included in the next automated commit and pushed to the remote. The skill does not create a comprehensive .gitignore or warn users about this behavior.

Both git-scrub-secrets.sh and git-restore-secrets.sh build sed substitution commands using raw values read from .secrets-map without sanitizing for sed metacharacters. The pattern 'sed -i "s|$secret|$placeholder|g"' will behave unpredictably if $secret or $placeholder contains pipe characters (the delimiter), slashes, or regex special characters. A malformed .secrets-map entry (accidental or injected) could cause incorrect file modifications or suppress the substitution silently, leaving raw secrets in files that get pushed.

The SOUL.md template installed by the skill contains the instruction 'Be resourceful before asking. Try to figure it out. Read the file. Check the context. Search for it. Then ask if you're stuck.' This modifies the agent's default behavior to minimize confirmation requests before taking actions. While framed as a productivity guideline, this reduces the frequency of user-visible checkpoints before potentially consequential operations.

The skill was retrieved from the expected GitHub repository via sparse checkout. All network activity during the clone window is attributable to known infrastructure: GitHub (140.82.112.4), Ubuntu package servers (91.189.91.49), and Launchpad (185.125.188.57). The OpenClaw gateway connections visible in the post-install netstat diff were present as a pre-existing process before install. No unexpected DNS queries or connection attempts were initiated by the skill's code.

Auditd PATH records at timestamp 1771933135.645 (after skill installation) show filesystem-level access to all six honeypot credential files. The canary integrity check confirms all files are unmodified and no content was transmitted externally. Cross-referencing with the audit execution log, these accesses align with the oathe monitoring framework's post-install canary state verification pass, not with any code path in the OpenCortex skill files.