Is kakazhang50/tpt-generate-cover safe?

https://github.com/openclaw/skills/tree/main/skills/kakazhang50/tpt-generate-cover

85
SAFE

The kakazhang50/tpt-generate-cover skill installed cleanly with no executable code, no suspicious network connections, and all canary/honeypot files confirmed intact. The critical gap is that the primary skill instruction file (SKILL.MD, uppercase extension) was not captured by the audit tooling due to a case-sensitivity mismatch, leaving prompt injection risk unassessed. A bundled .clawhub/lock.json could trigger installation of a secondary unaudited skill (academic-research-hub) if the ClawHub runtime treats it as a dependency manifest.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (5)

HIGH SKILL.MD content not audited — case-sensitivity mismatch -30

The skill package contains 'SKILL.MD' (uppercase .MD extension). The audit tooling used case-sensitive find patterns matching 'SKILL.md' and '*.md' — on Linux these do not match 'SKILL.MD'. As a result, the actual agent instruction content was never collected or analyzed. Prompt injection, persona override, instruction suppression, or any other LLM manipulation present in the file would go undetected by this audit.

MEDIUM Bundled lock.json may trigger unaudited dependency skill installation -20

The skill ships a .clawhub/lock.json inside its package directory. This file records 'academic-research-hub' v0.1.0 as an installed dependency. If the ClawHub runtime processes lock files in installed skill packages as installation manifests — rather than treating them as publisher-side metadata — this would cause automatic installation of academic-research-hub without independent security review. This is a potential supply-chain vector even if the primary skill is clean.

LOW Auditd records sensitive file access — attributable to monitoring infrastructure -12

Auditd PATH events record accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. Cross-correlating with process execution timestamps, the first batch at 1771925100.458 precedes any skill-related activity by 5+ seconds and coincides with auditctl setup and canary placement. The second batch at 1771925116.810 follows skill installation completion by 4+ seconds and coincides with canary integrity verification. No corresponding outbound data transfer was detected in the network capture. Canary files confirmed intact.

INFO Publisher personal data leaked via accidentally bundled lock.json 0

The .clawhub/lock.json is the skill author's personal ClawHub state file, inadvertently included in the published package. It discloses that the author had 'academic-research-hub' v0.1.0 installed on approximately 2026-02-17. This is an information disclosure about the publisher's environment, not a risk to the installing user.

INFO All network activity consistent with expected operations 0

TCP connections during the audit window: GitHub (140.82.114.3:443) for git clone of openclaw/skills, Ubuntu CDN (91.189.91.48:443, 185.125.188.57:443) for background snap/apt system maintenance, loopback for local IPC. DNS resolves to github.com, ubuntu.com address ranges, and mozilla.map.fastly.net (browser CDN). Connection diff shows one fewer established connection after install — no new backdoors or C2 channels.