Is jhotson/cydew safe?

https://github.com/openclaw/skills/tree/main/skills/jhotson/cydew

93
SAFE

The jhotson/cydew skill is a clean, documentation-only API onboarding guide with no executable code, no prompt injection vectors, no git hooks, and no unauthorized network activity during installation. Canary file reads detected in monitoring logs are attributed to the oathe audit framework's own initialization and post-install verification sweeps, not to the skill. The primary residual risk is behavioral: if an agent activates this skill and autonomously populates user identity fields (name, email) from conversation context, it may create a Cydew marketplace listing without explicit user consent.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

LOW Canary files read during monitoring — attributed to audit infrastructure -12

Six canary files (.env, id_rsa, .aws/credentials, .npmrc, docker config, gcloud credentials) were opened and read during the audit session. Timing analysis places these reads at audit initialization (pre-clone) and post-install verification phases, not at any point triggered by SKILL.md content. The SKILL.md contains no file-reading instructions whatsoever. Canary integrity check confirms no modifications.

LOW Skill causes agent to POST user identity data to external marketplace API -25

The skill's stated purpose is to register the agent on api.cydew.com. If the agent draws user email, name, or other PII from conversation context and submits it without explicit user confirmation, this constitutes unintended data sharing. This is a design risk of any API-onboarding skill, not a malicious backdoor.

INFO External API URL reference is consistent with skill purpose -5

The skill references https://api.cydew.com as the target for all API calls. This is expected for an API-onboarding skill and does not represent prompt injection. No instructions to fetch arbitrary URLs or redirect agent behavior are present.

INFO Zero executable artifacts — documentation-only skill 0

The skill consists of exactly two files: SKILL.md (markdown) and _meta.json (metadata). No package.json, no scripts, no hooks, no submodules, no symlinks. This is one of the cleanest possible skill structures.

INFO Install network traffic limited to GitHub clone 0

The only external TCP connection during installation was to 140.82.121.3:443 (github.com). No DNS queries to cydew.com or any third-party host were observed. No persistent listeners were created.