Is koellins/arena-claw safe?

https://github.com/openclaw/skills/tree/main/skills/koellins/arena-claw

93
SAFE

The arena-claw skill is a documentation-only wrapper for the are.na API CLI tool. The SKILL.md contains no prompt injection attempts, no hidden instructions, and no malicious directives. The install.sh is a benign 12-line copy script that would fail silently since the referenced arena binary is absent from the package. Credential file accesses observed in monitoring are attributable to the Oathe audit framework's own pre/post canary baseline checks rather than any skill-executed code, confirmed by the fact that all accesses preceded the git clone by ~5.5 seconds and the canary integrity check reports all files intact.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (5)

LOW Credential file set accessed before skill install — likely audit framework baseline -10

Six canonical credential files were opened and read at audit timestamp 1771935766.832, approximately 5.5 seconds before the skill's git clone started at 1771935772.335. The identical file set was accessed again post-install at 1771935784.357. Both access patterns are consistent with Oathe's pre/post canary integrity checks rather than skill-originated scanning. No skill-executed process (install.sh was never run during audit) could account for these accesses.

LOW Referenced arena binary absent from skill package -12

install.sh attempts to copy $SCRIPT_DIR/arena to ~/bin/arena, but no arena file exists in the skill package (only _meta.json, SKILL.md, README.md, install.sh). The install script would silently fail at the cp step. This indicates the skill functions as documentation for an externally-hosted tool rather than a self-contained installer, reducing attack surface but also reducing auditability of the actual binary.

LOW API token stored in predictable home directory location -13

The skill instructs the agent to run arena auth TOKEN which writes the API token to ~/.arena_token or /.openclaw/.arena_tokens. These are predictable paths readable by any process running as the user, and the multi-account path (/.openclaw/) is a non-standard location that could conflict with other OpenClaw skills.

INFO Sparse checkout clone from public monorepo — expected behavior 0

The install mechanism clones https://github.com/openclaw/skills.git with sparse checkout targeting skills/koellins/arena-claw. This is the standard Oathe skill installation pattern. The clone connected only to GitHub (140.82.121.3:443).

INFO Tool scope declaration is appropriately narrow 0

The SKILL.md front matter declares allowed-tools: Bash(arena:*) which restricts the agent to only arena-prefixed bash commands. No file write permissions, no arbitrary execution beyond curl as stated in the declaration.