Is jeong-wooseok/webnovel-serial-pipeline safe?

https://github.com/openclaw/skills/tree/main/skills/jeong-wooseok/webnovel-serial-pipeline

88
SAFE

The webnovel-serial-pipeline skill is a legitimate Korean web-novel authoring and Quartz publishing pipeline with clean source code and no embedded data exfiltration or prompt injection mechanisms. Credential honeyfile reads detected during the monitoring window are attributable to the oathe audit framework's own canary initialization and final integrity checks based on timing analysis and the absence of correlated outbound traffic. The primary operational risks are a lack of path-traversal sanitization in publish_episode.py (exploitable only if the agent is separately compromised) and the soft phrase-based publish trigger.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

MEDIUM Credential honeyfiles opened during monitoring window -10

Six credential honeyfiles were opened for reading at two timestamps during the audit. Pre-install reads (epoch 1771931566, 17ms after ss -tunap) are consistent with audit framework canary baseline initialization. Post-install reads (epoch 1771931589) coincide with sshd and audit framework activity. No skill source code references home-directory credential paths. No external data transfer correlated to either read cluster. Audit framework canary verdict: intact.

LOW Path traversal possible via unsanitized slug/series arguments -8

publish_episode.py constructs output file paths by concatenating --slug and --series values with Path() without enforcing that the result stays inside the intended series directory. A manipulated agent could be induced to pass path-traversal strings, writing arbitrary content to locations reachable by the running process.

LOW Publish gate tied to Korean phrase trigger -5

The skill conditions publish on the agent receiving '검수 완료'. Legitimate and desirable as a UX safety control, but creates a string-based trigger that could be activated by adversarial content in the conversation if another skill or injected text causes the phrase to appear.

LOW Executable scripts shipped; invoked by agent on user request -5

Eight scripts are present and will be invoked by an LLM agent in the normal workflow. All are well-scoped: no shell=True subprocess calls, no install-time auto-execution, no git hooks, no submodules. The prepublish_check.py scanner is itself a defensive control.

INFO Install uses clean sparse git checkout from known monorepo 0

Install clones github.com/openclaw/skills.git with --depth 1 --no-checkout, applies sparse-checkout to the exact skill subpath, copies files, and cleans up. No side effects.