Is lazralabs-eng/auto-dealer-marketing safe?

https://github.com/openclaw/skills/tree/main/skills/lazralabs-eng/auto-dealer-marketing

93
SAFE

The auto-dealer-marketing skill is a professionally authored, pure-markdown automotive marketing reference document with no executable code, no prompt injection patterns, and no data exfiltration mechanisms. Runtime monitoring detected read-only access to sensitive credential files at two points during the audit session, but both access clusters are causally attributed to the oathe framework's canary setup and integrity verification routines rather than any behavior introduced by the skill. The install produced only two expected files and contacted only GitHub for the sparse-checkout clone.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (6)

LOW Sensitive credential files read during audit window -12

Filesystem audit events show read-only ACCESS syscalls against /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json at timestamps 1771917538.113 (pre-install) and 1771917554.710 (post-install teardown). Both access clusters align with oathe framework canary lifecycle operations. The SKILL.md contains no code, filesystem instructions, or agent directives that could produce these reads. Files were not modified and no correlated outbound network activity was observed.

INFO Domain persona established in skill header -5

SKILL.md opens with 'You are an expert automotive retail marketer with deep knowledge of franchise dealership operations, OEM co-op programs, and the full customer lifecycle from conquest to retention.' This is standard domain scoping for a specialized skill. It does not instruct the agent to ignore system instructions, suppress output, or override user preferences. The persona is additive and contextually bounded.

INFO Expected outbound HTTPS to GitHub during install -7

The install process connected to 140.82.121.4:443 (GitHub) to perform a git sparse-checkout clone of the openclaw/skills monorepo. This is the documented and expected installation pathway. No other new outbound destinations were contacted during or after install. The connection diff shows all unexpected external connections were pre-existing and closed during the session.

INFO Canary files read but unmodified -5

Six honeypot credential files were opened with read-only syscalls at two points in the audit session. Canary integrity verification confirms none were modified. Reads are attributed to the audit framework's setup and teardown phases. Skill content provides no mechanism for reading or exfiltrating these files.

INFO Skill is pure markdown with no code artifacts -2

Full inspection of all skill files confirms the absence of any executable artifacts. No package.json lifecycle hooks, no .gitattributes content filter hooks, no .gitmodules, no shell scripts, no symlinks. The skill is a static knowledge document with no install-time or runtime code execution surface.

INFO High-pressure sales scripts within legitimate marketing scope -15

The skill includes an equity mining phone script and a 10-touchpoint follow-up cadence (email, SMS, phone over 30 days). These are persuasive by design. In the hands of an agent with CRM or communication tool access, the agent could generate aggressive but legally-compliant outreach content. This is within the skill's declared scope and presents no risk to the installing user's own data or system integrity.