Is johnyquest7/medical-specialty-briefs safe?

https://github.com/openclaw/skills/tree/main/skills/johnyquest7/medical-specialty-briefs

68
CAUTION

The 'Medical Specialty Briefs' skill contains no executable code and all canary files were found intact, but its primary risk is that the actual SKILL.MD prompt content cannot be inspected: the file uses an uppercase .MD extension that defeats the audit framework's case-sensitive content extraction, leaving the injected agent prompt completely unknown. Sensitive credential files were accessed twice during the audit but this is attributable to the audit framework's own verification routines rather than the skill. The combination of an unauditable prompt, professional metadata packaging, and a file naming quirk that specifically evades content review warrants manual inspection before deployment.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 80/100 · 10%
Behavioral Reasoning 38/100 · 5%

Findings (6)

CRITICAL SKILL.MD content unauditable due to case-sensitivity evasion -55

The skill file is named SKILL.MD (uppercase extension) while the audit framework searches for SKILL.md (lowercase). On a case-sensitive Linux filesystem this causes the audit to report empty content while the file actually contains real data. The actual prompt instructions injected into an agent's context are completely unknown and cannot be assessed for injection attacks, persona overrides, or hidden directives.

HIGH Agent behavior fully unpredictable due to unknown injected prompt -62

Because SKILL.MD content cannot be inspected, any behavioral assessment is impossible. An agent executing this skill receives unknown instructions that could include prompt injection, privilege requests, persona overrides, data exfiltration commands, or instructions to interact with other installed skills in unexpected ways.

MEDIUM All six credential canary files accessed during audit window -28

Inotify filesystem monitor and auditd PATH records confirm that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application_default_credentials.json were all opened and accessed. Two separate access events occurred. Canary integrity check reports files unmodified. Access is attributable to the audit framework's own canary setup and verification procedures (the skill has no executable code), but the triggering process for the second post-install access is not visible in captured logs.

MEDIUM Post-install canary access with unidentified triggering process -18

A second batch of accesses to all six canary credential files occurs at auditd events 1387-1392 (timestamp 1771917646.880), after the skill cp and rm operations complete. The EXECVE audit log is truncated and does not show which process triggered this access. Most likely the audit framework's own post-install verification, but this cannot be confirmed from available evidence.

LOW Canary files read but unmodified; integrity maintained -20

All six canary credential files were opened and accessed twice across the audit window but the integrity check confirms no modifications occurred. All inotify close events show CLOSE_NOWRITE, consistent with read-only access by the audit framework rather than the skill.

INFO No executable code, hooks, or submodules detected -10

The skill contains no package.json, no shell scripts, no git hooks, no git submodules, no .gitattributes smudge/clean filters, and no symlinks. The only installed files are _meta.json and SKILL.MD.