Is lepetitpince/clawdo safe?

https://github.com/openclaw/skills/tree/main/skills/lepetitpince/clawdo

90
SAFE

The clawdo skill package is documentation-only (SKILL.md, README.md, _meta.json) with no executable code, no credential access, and clean install behavior limited to a single GitHub HTTPS connection. Canary file accesses in the monitoring logs are attributable to the audit harness itself, not the skill. The primary residual risk is the separately-installed npm binary ('npm install -g clawdo'), which is outside the scope of this audit and represents an unverified supply chain dependency; the silent autonomous task execution model also warrants awareness when deploying in high-privilege agent environments.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Global npm binary install is unaudited -20

The skill's declared install procedure requires 'npm install -g clawdo', placing a globally-scoped binary on the host. The npm package (https://www.npmjs.com/package/clawdo) is entirely separate from this skill documentation package and has not been evaluated. A compromised or malicious version of the npm binary could perform arbitrary actions at agent runtime.

LOW Silent autonomous execution window -15

The 'auto' autonomy level instructs agents to execute tasks without notifying the user for up to 10 minutes. If an adversary can inject tasks into the clawdo SQLite database (via prompt injection, file write access, or a malicious co-installed skill), those tasks would execute silently on the next heartbeat cycle.

LOW Normalizes agent autonomy without per-action user consent -8

SKILL.md teaches agents to check their own task inbox and execute 'autoReady' tasks without any user interaction at execution time. This is a design pattern that reduces the human-in-the-loop for agent actions, which is an acceptable UX trade-off but represents a mild weakening of the oversight model.

INFO Canary file accesses are audit-harness-originated -5

Inotify and auditd events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials appear at two timestamps: 1771939661 (5 seconds before the git clone starts) and 1771939685 (2 seconds after install completes). Both windows match audit harness canary setup and teardown, not skill execution. No WRITE events on any credential path.

INFO Clean sparse checkout from openclaw/skills monorepo 0

Install fetches only the skills/lepetitpince/clawdo subpath from the official openclaw/skills repository via HTTPS. The clone is depth-limited and removed after file copy. No unexpected network destinations.

INFO No executable code in skill package 0

The audited package is exclusively documentation (SKILL.md, README.md, _meta.json). There is no mechanism within these files to read filesystem paths or transmit data.