Is justindobbs/openclaw-safety-coach safe?

https://github.com/openclaw/skills/tree/main/skills/justindobbs/openclaw-safety-coach

96
SAFE

The openclaw-safety-coach skill is a pure-markdown safety coaching skill with no executable code, no data exfiltration mechanisms, and no prompt injection patterns. Sensitive credential file accesses observed in monitoring logs are attributable to the oathe audit framework's own canary setup and teardown, confirmed by pre-clone timing and intact canary integrity. The skill's content is transparent, well-intentioned, and consistent with its stated purpose of enforcing safety policies in OpenClaw agent sessions.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 97/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

INFO Clawbot metadata sets priority:high -7

The skill.md frontmatter metadata includes {"clawbot": {"priority": "high", "category": "security"}}. This could cause the skill to take precedence over user-installed skills in priority-aware runtimes. For a safety skill this is arguably intended behavior, but users should be aware it may override lower-priority skills.

INFO Sensitive credential files accessed during monitoring window -3

Inotify and auditd logs show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json opened and read. However, timing analysis places the first access (1771940007.875) before the git clone began (1771940013.427), and the second access (1771940024.573) at the oathe audit teardown phase. These accesses are consistent with the monitoring framework placing and verifying canary files, not with any action taken by the skill. Canary integrity check confirms all files unmodified.

INFO Skill references version-specific CLI commands that may become stale -7

The skill embeds exact openclaw CLI commands for key management and auditing. If the openclaw CLI changes its command syntax or these commands are incorrect for a user's version, the skill could give misleading security guidance — e.g., instructing users to run openclaw auth set with incorrect flags.

INFO Repository ownership migrated between GitHub orgs -3

Versions 1.0.1 and 1.0.2 reference github.com/clawdbot/skills commits, while 1.0.3 and 1.0.4 reference github.com/openclaw/skills commits. This likely reflects a project rename/migration. No malicious indicators associated with this change, but the provenance chain includes an external org.

INFO Skill is markdown-only with no executable surface 0

The entire skill consists of three static text files. There is no code, no install hooks, no network fetching, and no dynamic content. Attack surface from code execution is zero.