Is jiacode/deepresearchwork safe?

https://github.com/openclaw/skills/tree/main/skills/jiacode/deepresearchwork

86
SAFE

The jiacode/deepresearchwork skill presents a legitimate deep research methodology framework with clean SKILL.md content, no prompt injection patterns, no auto-executing code, and a straightforward git clone install with network activity limited to GitHub. Post-install credential file access events (audit 1771908882) are attributed to the monitoring framework's canary verification based on sub-millisecond simultaneous access to six files, and all canary files were confirmed intact. Residual operational concerns include the skill's claims to write, edit, and memory access tools that exceed read-only research requirements, and a URL generation pattern in the mock JS code that could theoretically enable DNS-based exfiltration if wired to live fetch calls with attacker-controlled input.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM Post-install credential file reads attributed to monitoring framework -22

Auditd PATH records at 1771908882.567 show simultaneous reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json within a single millisecond window post-install. The sub-millisecond simultaneity is inconsistent with skill code execution (which would iterate sequentially) and is consistent with the monitoring framework computing SHA-256 hashes of canary files for the baseline filesystem diff. Canary integrity check confirmed all files intact. No exfiltration-indicative outbound network traffic was observed in the corresponding timeframe.

MEDIUM Skill requests memory store access beyond research scope -15

SKILL.md declares memory_get and memory_search as required tools for 'referencing previous research.' These tools grant the skill read access to the agent's persistent memory, which may contain credentials, personal data, or sensitive context written by the user or other skills in prior sessions. A research skill could use this access legitimately, but the same access enables harvesting stored secrets if the skill were malicious.

LOW CommonJS JavaScript module included with class definition -15

research_workflow.js defines a class and exports it. No top-level execution occurs on require(). All method bodies return hardcoded mock values and perform no I/O. The file is structured as a reference implementation rather than an auto-executing payload. No lifecycle scripts (preinstall, postinstall) were present in package.json (which was absent entirely).

LOW Broad tool claims including write and edit access -10

SKILL.md requests the write and edit tools for 'creating structured research notes' and 'refining findings.' While legitimate for the stated use case, these tools enable the agent to create or overwrite arbitrary files if the skill's instructions are followed. A purely read-oriented research skill could be implemented without write access.

LOW URL domain component derived from search term input -12

generateMockSources() constructs source URLs by embedding the raw search term into the domain name after whitespace normalization. If this function were connected to actual web fetch calls and the search term were populated with encoded sensitive data (e.g., base64-encoded secrets), the resulting DNS lookups or HTTP requests would transmit that data to attacker-controlled infrastructure. In the current implementation these URLs are never fetched.

INFO Git clone to GitHub repository as expected -7

The install script performed a depth-1 sparse checkout from https://github.com/openclaw/skills.git connecting to 140.82.121.3:443. This is the expected behavior for the openclaw monorepo install pattern. No additional repositories were cloned and no post-install network activity was observed.

INFO Third-party author with unverified identity -8

The skill is authored by 'jiacode' with a display name indicating origin from Xian. The skill is distributed through the openclaw/skills monorepo without cryptographic signing. There is no mechanism to verify that the published skill matches the author's intent or that the author has not been compromised.