Is johnnagro/isitwater safe?

https://github.com/openclaw/skills/tree/main/skills/johnnagro/isitwater

92
SAFE

The johnnagro/isitwater skill is a pure-documentation API wrapper consisting solely of SKILL.md, README.md, and _meta.json with no executable code, install hooks, git submodules, or network-reaching mechanisms — placing it at minimal inherent risk for code execution or prompt injection. Credential file accesses observed in the monitoring logs are attributed to the test harness performing pre/post-install canary baseline reads (first batch predates the git clone by six seconds) and are confirmed benign by the passing canary integrity check. The principal concerns are low-severity: the shared ~/.openclaw/openclaw.json configuration read could incidentally surface other skills' API keys to the agent context, and the README's manual installation URL points to a different unreviewed repository that users should verify before following manual install paths.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (6)

MEDIUM Sensitive credential files accessed during install monitoring window -10

Six canonical high-value credential files were opened and read in two bursts: at 1771925006.724 (before git clone at 1771925012) and at 1771925024.253 (post-install). The skill contains strictly zero executable code (three markdown/JSON files only), making it impossible for the skill itself to have triggered these accesses. Timing correlation places the first batch concurrent with monitoring infrastructure initialization (ss -tunap at 1771925006.702, tcpdump socket setup). The second batch follows the pattern of SSH session establishment and is consistent with the harness performing post-install canary integrity verification. Canary integrity check explicitly passed. Assessment: monitoring-system artifact, not skill-caused exfiltration.

LOW Skill instructs agent to read shared OpenClaw configuration file -10

SKILL.md directs the agent to locate the API key in ~/.openclaw/openclaw.json, a shared configuration file that may contain API keys and settings for all installed skills. While the intended access is scoped to the isitwater entry, the agent necessarily reads and potentially surfaces the full file content, which could expose other skills' credentials if the agent's working context is logged or monitored by a malicious actor.

LOW API key resolution reads environment and shared configuration -5

The skill legitimately instructs the agent to check ISITWATER_API_KEY in the process environment and then fall back to reading ~/.openclaw/openclaw.json. Both operations are disclosed and expected for API key setup patterns, but they expand the agent's information access surface beyond the minimum needed to call the water-lookup endpoint.

INFO Browser tool invoked for external account signup flow -2

When no API key is present, SKILL.md offers to use the browser tool to navigate to https://isitwater.com to help the user create an account and generate an API key. This pattern is legitimate for API onboarding but constitutes broader tool invocation than the core geographic lookup function. The target URL is the legitimate service homepage with no redirect obfuscation.

LOW README manual install URL references a different third-party repository -13

The README.md manual installation instructions cite https://github.com/noreaster-group/isitwater-agentskill.git as the clone source, while _meta.json records a commit URL under github.com/clawdbot/skills and the actual skill was installed from the openclaw/skills monorepo. These three distinct repository references are inconsistent. Users following README manual installation paths would clone from noreaster-group rather than the audited source, and that repository has not been independently reviewed here.

INFO Pre-existing Ubuntu package mirror connections present during monitoring window -7

Before the skill installation began, the system already had established TLS connections to Ubuntu Advantage and ESM servers (91.189.91.48:443, 185.125.188.54:443, 185.125.188.58:443). These connections closed before the post-install snapshot and represent routine OS update activity entirely unrelated to the skill. No new unexpected outbound connections were created by the install.