Is kylejfrost/openclaw-security-hardening safe?

The _meta.json commit URL references https://github.com/clawdbot/skills/commit/3d7916bc2d77180a8ed4fbc0ac7ac208b1facb4e while the skill was installed from https://github.com/openclaw/skills.git. The owner field is 'kylejfrost' but the commit points to a 'clawdbot' organization repository. This mismatch suggests the metadata was not maintained alongside the skill content and raises questions about the actual source of the installed code.

Both scan-skills.sh and audit-outbound.sh explicitly skip any file whose path contains 'openclaw-security-hardening'. This means any malicious content added to this skill's own directory — including prompt injection in SKILL.md, exfiltration instructions, or obfuscated commands — will never be flagged by the scanner. This design defect is permanent and applies to all future versions of the skill installed in the same path.

Auditd PATH records (events 1484–1490) show all six monitored credential canary files were opened for reading at timestamp 1771922369.575, approximately 5 seconds after skill installation completed. The batch access pattern (all six files within milliseconds of each other) is consistent with a monitoring-framework integrity sweep rather than skill-initiated access, and no corresponding network transmission was observed. However, no skill script contains code paths that would legitimately access /home/oc-exec/.ssh/id_rsa or /home/oc-exec/.aws/credentials, making the process attribution uncertain.

The skill's Recommended Setup instructs users to run 'cat assets/security-rules-template.md >> /path/to/AGENTS.md', permanently modifying the agent's system-level configuration. While the appended rules are defensively framed, this establishes a pattern where a skill modifies the agent's governing instructions. A compromised future version of this skill could substitute a malicious template. The template itself also contradicts its own rules by instructing the agent to never let skills modify AGENTS.md.

The _meta.json file reports the latest version as 1.1.0 while SKILL.md declares version 1.0.0. This inconsistency indicates the package metadata is not kept synchronized with the installed files. For a security tool specifically, version tracking is critical — users who rely on version numbers to detect updates or verify installations against a registry will receive inaccurate information.

audit-outbound.sh supports a --whitelist flag that appends domains to $HOME/.openclaw/security/domain-whitelist.txt. If an agent running this skill is ever instructed to invoke 'audit-outbound.sh --whitelist ', that domain becomes permanently trusted across all future scans. A sophisticated attacker could use this mechanism to pre-authorize an exfiltration endpoint.

install-guard.sh uses 'local target' outside of a function body in the symlink-checking section. In bash, 'local' is only valid inside functions; using it in the main script body produces a warning or error in strict shells. While not a security vulnerability, this is a code quality defect in a tool marketed as a security gate, suggesting the scripts may not have been thoroughly tested.

integrity-check.sh --update overwrites the entire hash baseline with the current filesystem state. If an attacker modifies skill files and then tricks the agent into running 'integrity-check.sh --update', all evidence of tampering is silently erased and a new baseline is established. The tool provides no confirmation prompt, diff display, or audit log for baseline updates.

Network traffic to 185.125.188.59:443 was present in the BEFORE connection state and reflects the VM's existing Canonical/Ubuntu infrastructure connections (package update channels). This predates the skill installation and is not skill-initiated.

The oathe monitoring system's honeypot verification confirms all credential canary files are unmodified. No exfiltration path was completed regardless of read access.