Is krishna3554/echo-agent safe?

https://github.com/openclaw/skills/tree/main/skills/krishna3554/echo-agent

94
SAFE

Echo Agent is a minimal, demonstrably benign reference skill whose source code performs only a deterministic string echo with bounded in-process memory storage. No prompt injection vectors, exfiltration logic, dangerous code execution, or unexpected network behavior was detected in the skill itself. The only notable monitoring signals — READ-ONLY accesses to credential files — are temporally and contextually attributable to the audit framework's own honeypot baseline routines, a conclusion supported by the intact canary file integrity report and the complete absence of any credential-path references in the skill code.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

LOW Sensitive credential files opened READ-ONLY during monitoring window -12

Six high-value credential files were opened for reading during the monitoring period. Timing analysis strongly indicates the monitoring framework itself performed these accesses as part of its pre-install baseline (audit sequences 265-270, 23ms after the 'ss -tunap' monitoring-startup event) and post-install canary verification (sequences 1438-1443, after all skill files were read). No skill source code references these paths, all accesses are CLOSE_NOWRITE (no write or send), and the canary integrity report confirms no exfiltration. Scored as LOW rather than CRITICAL solely due to the infrastructure attribution and confirmed intact canary state.

INFO Python class pattern used — minor convention deviation -5

memory.py and agent.py use class definitions (SimpleMemory, EchoAgent) rather than the functional/primitives-first pattern expected by OpenClaw conventions. This is not a security concern but slightly increases the surface area for static analysis and future extension risks if the class hierarchy grows.

INFO Sparse monorepo clone contacts GitHub — expected behavior -8

Installation performs a shallow sparse-checkout of the openclaw/skills monorepo (depth=1, no-checkout, then sparse-checkout set to the skill subdirectory). All observed TLS traffic resolves to GitHub CDN (140.82.121.4). This is the expected install pattern and introduces no additional trust boundary.

INFO Skill introduces no capability amplification risk -10

EchoAgent is purely deterministic — it prefixes the input string with 'Echo: ', stores the result in an in-process list capped at 3 entries, and returns it. It cannot read files, make network connections, or interact with any external resource. Even when composed with powerful co-installed skills, this skill adds no new attack surface or privilege.