Is lgmnemesis/rubicon safe?

https://github.com/openclaw/skills/tree/main/skills/lgmnemesis/rubicon

74
CAUTION

Rubicon Sentinel v2 poses no installation-time code execution or credential exfiltration risk — it is pure markdown with a clean git clone. The primary threats are runtime behavioral: the skill imposes a strongly partisan political persona on the agent, uses politically loaded scoring rubrics presented as objective data, probes for TWITTER_BEARER_TOKEN credentials, and includes dedicated modes for generating political memes and tweets, constituting a functional influence-operation toolkit. Users who install this skill should expect all geopolitical responses from their agent to be contaminated with the skill's ideological framing even during ostensibly unrelated tasks.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH Partisan political persona imposed on agent -20

SKILL.md instructs the agent to adopt a fixed political identity ('truth over comfort', 'zero-chill', 'Rubio red pills') and deliver analysis through this lens. This is a persona hijack that biases all agent output when the skill is active, regardless of user intent.

HIGH Politically biased scoring rubric presented as objective methodology -20

references/scoring.md contains pre-set country scores for each pillar that establish specific political outcomes as calibration targets. The agent is instructed to score against these examples, laundering political values into apparently data-driven outputs.

MEDIUM TWITTER_BEARER_TOKEN credential probing -20

The skill explicitly checks for the TWITTER_BEARER_TOKEN environment variable and uses it if present. This silently upgrades API access scope without user confirmation that they intended to grant this skill social media API credentials.

MEDIUM Unbounded web_fetch on search result URLs -15

Deep Scan instructs the agent to web_fetch the top 3–5 search results. If an attacker controls search result content or ranking, they could inject URLs pointing to internal services, achieving agent-assisted SSRF.

MEDIUM Political disinformation pipeline via framing-as-analysis -30

The skill combines web_search, politically biased scoring rubrics, and a fixed ideological persona to produce content that looks like objective analysis but systematically supports specific political positions. This is a functional disinformation tool using the agent's trusted output channel.

LOW Meme and tweet generation for political influence operations -20

Dedicated modes generate shareable political content (memes, ≤280-char tweets with hashtags) from the skill's biased analysis. Combined with web_search and an LLM's fluency, this creates a political content generation pipeline that could be used at scale.

INFO Clean installation — expected network behavior only 0

The git clone connected only to GitHub (140.82.121.3:443) as expected for a sparse monorepo checkout. No unexpected processes, no filesystem changes outside the skill directory, no firewall blocks.

INFO Canary files read by monitoring infrastructure, not the skill 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened twice — at audit timestamp 1771930471 (before the clone at 1771930477) and 1771930488 (after analysis completion). Both batches are consistent with the oathe monitoring harness performing pre/post baseline snapshots. All events are CLOSE_NOWRITE. No data was sent to external endpoints from these opens.