Is kudodefi/crif safe?

SKILL.md instructs the agent to read at least 5 categories of additional files (agent YAML, workflow YAML, objectives MD, template MD, component MD) and follow their instructions precisely. Users reviewing the skill see only SKILL.md; the actual behavioral instructions delivered to the agent come from files they have not reviewed. Any future update to those files, or a supply-chain compromise of the skill repository, would silently change agent behavior without triggering user re-review.

The skill defines and promotes an Autonomous Mode that executes complete research workflows with minimal human intervention. During autonomous execution the agent performs multi-step internet research, generates investment analysis, and writes output files to disk. This bypasses the iterative confirmation checkpoints that would otherwise allow humans to catch misdirected or harmful agent actions mid-workflow.

The skill instructs the agent to fully embody research personas rather than adopt them as a surface style. While common in role-play frameworks, full identity replacement ('You ARE that expert') can suppress the host agent's default safety orientations if the persona YAML files contain instructions that conflict with base guidelines — particularly relevant since agent YAMLs were not shown in audit evidence.

Six sensitive credential files were opened and read (CLOSE_NOWRITE) at two distinct audit timestamps — one before and one after skill installation. Files include .env, SSH private key (id_rsa), AWS credentials, .npmrc, Docker config.json, and GCP application_default_credentials.json. Timing analysis and the monitoring system's intact verdict suggest these are audit-infrastructure reads (baseline hashing and post-install comparison) rather than skill-induced reads, but the pattern is flagged for transparency.

The skill creates and maintains structured workspace directories on the host filesystem that persist across sessions, accumulating research documents, source materials, and output reports. While scoped to the skill directory, this creates a durable record of all research activity including investment theses and competitive intelligence that survives beyond the agent session.

The skill includes a complete pipeline to convert research into social media content distributed across X/Twitter, TikTok, YouTube, and blogs. Combined with Autonomous Mode and an AI agent with browser/posting tools, this could enable high-volume AI-generated crypto promotional content with minimal human review of factual accuracy or financial claim legality.

Research workflows are explicitly scoped to produce actionable investment recommendations including portfolio sizing, entry points, and position sizing guidance. The content-style.md states no financial advice should be given, but the create-research-brief workflow examples actively guide users toward investment committee-style outputs that constitute financial advice in most jurisdictions.

The entire skill consists of Markdown and YAML files. No JavaScript, TypeScript, Python, shell scripts, or other executable code was found. No package.json with lifecycle hooks, no git hooks, no submodules pointing to external repositories, no symlinks outside the skill directory.

Installation used a standard git sparse-checkout from the expected openclaw/skills.git registry. Only GitHub IP (140.82.121.3:443) was contacted during install. No unexpected processes were spawned, no filesystem changes outside the skill target directory, and no new persistent network listeners were created.