Is jeffaf/anime safe?

https://github.com/openclaw/skills/tree/main/skills/jeffaf/anime

91
SAFE

The jeffaf/anime skill is a documentation-only install: three files (SKILL.md, README.md, _meta.json) with no executable code, no scripts, no hooks, and no submodules. The SKILL.md content is clean with no prompt injection attempts, persona overrides, or exfiltration instructions. Canary file read events recorded during the monitoring window are attributable to the Oathe harness performing baseline and final integrity checks, not to skill activity — the harness confirms all canary files are unmodified. The skill's primary anomaly is functional rather than security-related: the scripts/anime binary described in SKILL.md was not included in the installation, rendering the skill inert.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

INFO Described script not present in installation -12

SKILL.md declares 'Script location: {skill_folder}/anime (symlink to scripts/anime)' but neither the scripts/ directory nor the anime binary was included in the sparse checkout. The installed skill contains only documentation and metadata files. This is a functionality gap, not a security concern — the absence of executable code is strictly safer than its presence.

INFO Canary files read during monitoring — attributed to harness, not skill -12

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/...) were accessed twice during the audit window. Both access events are consistent with the Oathe monitoring harness performing baseline and post-install integrity checks, not with skill activity. The first access (audit 1771932184.588) precedes the git clone by ~6 seconds; the second (audit 1771932208.309) follows all post-install file reads as the final harness step. No installed executable code exists to trigger these reads independently.

INFO Skill instructs curl to external public API -7

The SKILL.md instructs an agent to run anime search/info/season commands which (when the missing script is present) would invoke curl against api.jikan.moe. This is a declared, legitimate, no-auth public endpoint. No credentials or local data would be transmitted. Risk is minimal but noted as a network dependency.

INFO Expected GitHub connectivity during install -7

The install process contacted 140.82.121.4:443 (GitHub) to clone the openclaw/skills monorepo with sparse checkout. This is expected and declared behavior for the OpenClaw skill installation mechanism. No other external IPs were contacted by the install process.