Is kangbuilds/invisiblechris-jable safe?

https://github.com/openclaw/skills/tree/main/skills/kangbuilds/invisiblechris-jable

86
SAFE

The kangbuilds/invisiblechris-jable skill is a functionally clean Python scraper for the adult video site Jable.tv with no prompt injection, no exfiltration code, and no malicious install-time behavior. The primary concerns are content policy (the skill aggregates adult video content) and the fact that credential files were opened during the audit window, though these accesses are attributable with high confidence to the audit infrastructure's own sudo/PAM processes and canary verification sweep rather than the skill itself. The skill was never executed during the audit, the canary integrity check passed, and network activity was limited to GitHub (install) and Ubuntu system services.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 84/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Credential files opened during monitored window -20

Six credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read during the audit window. Auditd PATH records confirm accesses at two distinct timestamps: 1771939754.978 (pre-install, PID 1103 sudo process initializing PAM/NSS) and 1771939775.028 (post-install, consistent with audit teardown integrity verification). The skill script was never executed. Canary integrity check confirms no modification or exfiltration. Attribution to audit infrastructure is high-confidence but cannot be fully excluded.

MEDIUM Skill targets adult content site -28

The skill is explicitly designed to aggregate and rank videos from Jable, an adult video website. When installed, this skill will cause the agent to make outbound HTTP connections to jable.tv and return adult video titles and URLs as agent output. This is a content policy concern for environments where adult content is inappropriate.

LOW Parallel HTTP requests to external adult content site on invocation -16

When invoked, the script spawns up to 6 concurrent worker threads fetching pages from jable.tv/latest-updates/. HTML is parsed with regex. Video titles from server responses are embedded directly into agent output. A compromised or malicious jable.tv server could craft response content to attempt secondary prompt injection through the agent's rendered output.

LOW Skill clones from monorepo with sparse checkout -10

Installation uses a sparse git checkout of the full openclaw/skills monorepo rather than a dedicated repository. This is a non-standard install pattern that downloads the entire monorepo commit graph (shallow) before selecting the target path. The approach is functionally safe but exposes the installer to any content in the monorepo during the clone phase.

INFO No prompt injection detected in SKILL.md 0

SKILL.md was reviewed for hidden instructions, unicode tricks, HTML comments, persona-switching, permission escalation, and instruction override patterns. None were found. The file is a straightforward workflow description with transparent URL references.

INFO Python script uses stdlib only — no third-party dependencies 0

top_liked_recent.py imports only from Python stdlib: argparse, re, urllib.request, xml.etree.ElementTree, concurrent.futures, datetime. No pip install required, no third-party supply chain risk.