Is johnortegahyc/markdown-browser-skills-openclaw safe?

https://github.com/openclaw/skills/tree/main/skills/johnortegahyc/markdown-browser-skills-openclaw

90
SAFE

The markdown-browser-skills-openclaw skill is a well-structured, single-purpose web_fetch post-processor implementing URL redaction, Content-Signal policy parsing, and HTML-to-Markdown normalization. The skill code is clean: no credential access, no outbound network calls, no install scripts, no git hooks, and a single well-known dependency (turndown). The primary residual risks are inherent to its function — arbitrary web content passes through to the agent enabling server-side prompt injection, and Content-Signal headers from target servers can spoof policy decisions. All canary honeypots remained intact; the read-only credential file accesses observed during monitoring are attributable to the Oathe auditing infrastructure's own baseline checks based on timing evidence.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

LOW Secondary prompt injection via fetched web content -8

The skill's core function returns normalized web page content directly to the agent as the 'content' field. Any web server the agent browses can embed adversarial instructions in HTML or Markdown (e.g., 'Ignore previous instructions...'). After turndown processing these survive as Markdown text in the agent's context with no sanitization. This is an inherent risk of fetch-wrapper skills, not a sign of malicious authorship.

LOW Verbatim web content passed to agent without truncation or filtering -10

The full text of any fetched page is returned in the 'content' field. If the agent retrieves pages containing sensitive user data (e.g., authenticated API responses, personal documents), those contents persist in agent context. No active exfiltration occurs, but the skill expands the agent's data exposure surface.

LOW Content-Signal policy can be spoofed by web servers -22

The policy_action field (allow_input / block_input / needs_review) is derived entirely from the Content-Signal HTTP response header provided by the fetched server. An adversarial server can serve any header value to force allow_input, potentially overriding an agent's intent to respect content restrictions. Agents that treat policy_action as a trust boundary are vulnerable to server-side manipulation.

INFO Single npm dependency: turndown@^7.2.2 -12

The only runtime dependency is turndown, a popular HTML-to-Markdown library used widely in the Node.js ecosystem. No install lifecycle scripts are present. The semver range (^7.2.2) permits automatic minor/patch updates introducing transitive supply-chain risk at standard npm levels. No specific risk indicators present in this package or its known history.

INFO Canary files accessed read-only before and after install (monitoring framework) -15

Filesystem monitoring recorded read-only opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json at 13:59:12 (1771941552 epoch — ~26ms after 'ss -tunap' baseline, ~6s before git clone began) and again at 13:59:30 (post-install canary finalization). The systematic batch access of all canary files at these precise boundary timestamps, combined with the confirmed 'all canary files intact' report, indicates the Oathe monitoring infrastructure itself performs these reads as part of integrity baseline/final checks, not the skill.