Is jjjojoj/openclaw-work-protocol safe?

The skill labels its user requirements section '最高优先级' (highest priority). The intent is that user goals take precedence over agent passivity, which is benign. However, this phrasing could be cited by a compromised agent or in combination with another skill to argue these instructions supersede other system-level guidance injected elsewhere.

The skill mandates shell commands (curl, wget, grep, awk, sed) as the highest-priority tool category above Python/Node.js and browser automation. This creates a durable shell-first preference in any agent running this skill. While operationally reasonable, this preference directly enables network exfiltration operations if the agent is also given instructions — or encounters prompt injection — that directs data movement.

The skill directs the agent to write session context to local files on a scheduled basis (daily logs at memory/YYYY-MM-DD.md, running learning-log.md, weekly MEMORY.md syncs). These writes are local-only and do not constitute exfiltration by themselves. However, the resulting files could accumulate sensitive user data, API responses, or system information that persists across sessions and is accessible to future skills or a compromised agent.

By establishing curl and wget as first-choice utilities, the skill ensures the agent will reach for network-capable tools first when any file-movement task arises. Combined with access to the persistent memory files described above, this creates a low-friction path for data exfiltration if other instructions or injections request it.

The skill contains only two files: SKILL.md (Markdown) and _meta.json (metadata). Checks for package.json, .gitattributes, .gitmodules, .githooks/, and symlinks all returned empty. The install was a clean sparse-checkout with no filesystem writes outside the designated skill directory.

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at timestamp 1771901864.748, after skill installation. Surrounding auditd records show a new authorized_keys read at 1771901864.442 (new SSH session established) immediately before these accesses, consistent with PAM authentication stack reads during the monitoring system's final canary-verification pass. No outbound data transfer to any non-GitHub IP was observed in the network capture.

All six canary files were read (never written) at two monitoring bookend points: pre-clone at 1771901845.903 and post-install at 1771901864.748. The monitoring system explicitly confirmed all files intact. The CLOSE_NOWRITE flag on every close confirms no data was altered. Both read events correspond to monitoring infrastructure behavior (PAM authentication and canary-integrity verification), not to any action attributable to SKILL.md content.

When active, this skill ensures the agent reaches for curl/wget before higher-level abstractions. The autonomous problem-solving mandate ('遇到问题自己搞定') further reduces friction for network operations. If a user instruction, another skill, or injected content directs data movement, the agent will use network-capable shell tools without additional prompting.

The skill's persistent memory architecture creates a growing store of agent context spanning multiple sessions. In privacy-sensitive deployments this could contain API responses, user data, file contents, or credentials seen during previous sessions, all of which could be accessed by a future malicious skill or leaked via the memory-write pattern.