Is jrswab/slipbot-logseq-importer safe?

https://github.com/openclaw/skills/tree/main/skills/jrswab/slipbot-logseq-importer

94
SAFE

The slipbot-logseq-importer skill is a pure markdown instruction set with no executable code, no install-time hooks, and no prompt injection vectors. All canary credential files remained intact throughout the audit and the only network activity during installation was a legitimate sparse git checkout from GitHub. The primary non-critical concern is that the skill depends on a companion 'slipbot' skill for its core functionality, meaning user note content will pass through that skill's execution path, making the overall security posture partially contingent on slipbot's trustworthiness.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

INFO Canary file accesses are monitoring-harness artifacts 0

Read-only accesses to all six canary credential files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) occurred at the monitoring start and end timestamps, consistent with the oathe audit harness performing pre/post integrity checks. All accesses were CLOSE_NOWRITE (read-only). Canary integrity report confirms no tampering.

INFO No prompt injection vectors detected in SKILL.md 0

Full review of SKILL.md found no instructions to override system prompts, no 'ignore previous instructions' language, no hidden unicode, no HTML comments, no external URLs for the agent to fetch, no persona reassignment, and no requests for permissions beyond note parsing and file creation in the slipbox.

INFO No executable code or install-time hooks 0

The skill ships only SKILL.md and _meta.json. No scripts, no package.json lifecycle hooks, no git hooks, no submodules, and no symlinks were found. The installation was a clean sparse git checkout with no side effects.

LOW Slipbot skill dependency introduces transitive trust requirement -12

This skill is designed to call the slipbot workflow for every note it processes. A user's note content (potentially sensitive personal knowledge) will flow through that companion skill. The security of this skill is therefore partially dependent on the security posture of slipbot. This is an architectural concern, not a defect in this skill itself.