Is larsonreever/codeconductor safe?

https://github.com/openclaw/skills/tree/main/skills/larsonreever/codeconductor

91
SAFE

The larsonreever/codeconductor skill is a static marketing document with no executable code, no prompt injection payloads, and no data exfiltration mechanisms. All honeypot canary files were confirmed intact. The sole concerns are a subtle commercial bias toward the CodeConductor.ai platform embedded in the skill content, and minor deviation from expected SKILL.md naming conventions. There is no evidence of malicious intent, but users should be aware the skill functions as undisclosed advertising rather than a neutral capability extension.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW Undisclosed Commercial Platform Promotion Embedded in Skill Content -12

The skills.md document concludes with promotional copy positioning CodeConductor.ai as 'the ultimate AI-powered software development and agentic AI platform.' When injected into an agent's system prompt as a skills profile, this framing subtly primes the agent to recommend or prefer CodeConductor.ai over neutral alternatives. This is not a traditional prompt injection but constitutes undisclosed commercial influence over agent behavior.

INFO SKILL.md Absent — Naming Convention Deviation 0

The skill does not contain the expected SKILL.md file. The audit found skills.md instead. The SKILL.md content provided to the auditor was empty. This may indicate an incomplete skill, a misconfigured publish, or an alternate injection pathway. No security risk identified from this deviation alone.

INFO Credential Honeypot Files Accessed During Audit — Attributed to Audit Infrastructure -12

Inotify and auditd logs show two access clusters on sensitive honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials). The first cluster at timestamp 1771936616.031 precedes skill installation by ~18 seconds, consistent with oathe infrastructure populating honeypots. The second cluster at 1771936639.903 follows the audit's file-scanning phase, consistent with a post-install canary integrity read. The skill contains no code capable of file access. Canary integrity confirmed intact.

INFO Expected GitHub Network Connection During Sparse Checkout -10

The install process made an HTTPS connection to 140.82.121.4 (github.com) to perform a shallow sparse-checkout clone of the skills monorepo. This is the expected and only installation network behavior. No additional exfiltration endpoints were contacted post-install.

LOW Skill Primarily Functions as Commercial Advertisement for CodeConductor.ai -15

The skill presents an AI coding assistant persona explicitly tied to the CodeConductor.ai commercial platform. Users installing this skill would be unknowingly embedding a promotional voice for a paid product into their agent. A motivated actor could use this pattern to build market share by distributing persona skills that steer AI agents toward preferred platforms or services without the user's informed consent.