Is lachlanglasgow/project-tree safe?

https://github.com/openclaw/skills/tree/main/skills/lachlanglasgow/project-tree

77
CAUTION

The project-tree skill is a directory visualization utility that generates a tree of ~/projects and writes it to the agent's MEMORY.md file. It is effectively non-functional as shipped due to a hardcoded absolute path referencing the author's personal username ('kevin'), indicating this is a personal script published to the marketplace without proper generalization. While no active network exfiltration or malicious code was detected, the skill's persistent hook mechanism, MEMORY.md write capability, and unsanitized execSync usage in the suggested hook handler create a moderate risk surface that warrants review before installation.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 83/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (7)

HIGH Hardcoded absolute path to wrong user's home directory -20

The script hardcodes const memoryPath = '/home/kevin/clawd/MEMORY.md' referencing the author's personal username. For any other user this silently writes to a non-existent or wrong path, or creates files owned by the agent in an unexpected location. This also leaks the author's internal directory structure.

MEDIUM Hook automation creates persistent recurring agent behavior -15

SKILL.md instructs the agent to create a hook handler that fires on every /reset command, running the project-tree script without explicit user invocation. This is a documented persistence mechanism that modifies baseline agent behavior for all future sessions.

MEDIUM MEMORY.md write creates persistent context injection surface -12

The skill writes project directory names and .md filenames into the agent's persistent memory file. Directory names containing instruction-like text (e.g., path components that resemble system prompts) would be injected into the agent's context on all subsequent sessions.

MEDIUM Hook handler uses execSync with unsanitized interpolated path -12

The suggested hook handler constructs a shell execution path via template literal from event.context.workspaceDir without sanitization. If the workspace directory contains shell metacharacters, this could result in command injection when the hook fires.

LOW Personal script incorrectly published to shared marketplace -25

The skill is non-functional as shipped for all users other than 'kevin'. This strongly suggests it is a personal script extracted from a personal environment without proper generalization, raising questions about the author's intent and quality control for the marketplace submission.

LOW Project directory structure persisted in agent memory -8

The skill writes directory names and .md filenames from ~/projects (up to 3 levels deep) into MEMORY.md on every invocation. This reveals the user's project organization, file naming conventions, and potentially sensitive project names in the agent's persistent context.

INFO Canary credential files accessed during monitoring window -15

Files .env, id_rsa, .aws/credentials, .npmrc, docker/config.json, and gcloud application_default_credentials.json were opened and accessed at 04:38:41 and 04:38:59. Timing and process context indicate these accesses originate from audit infrastructure SSH/PAM authentication and post-install canary verification, not from skill code. All files remain intact with no exfiltration detected.