Is linxule/lotus-wisdom safe?

https://github.com/openclaw/skills/tree/main/skills/linxule/lotus-wisdom

91
SAFE

The lotus-wisdom skill is a purely text-based contemplative problem-solving framework with no executable code, no data access instructions, and no network call directives. Its only meaningful risk surface is prompt injection through forceful behavioral override language that targets and attempts to neutralize the agent's efficiency optimization tendencies — a technique that is sophisticated but serves the skill's declared legitimate purpose. All canary files remain intact, the git clone contacted only GitHub, and no unexpected processes or filesystem changes were observed attributable to the skill.

Category Scores

Prompt Injection 84/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (5)

LOW Forceful Behavioral Override Language -10

The skill contains strong imperative language designed to override the agent's default response patterns: 'This is not optional. The framework doesn't work without genuine stops.' and 'Present ONE step, then STOP.' While this is the skill's stated and legitimate purpose, the language is deliberately authoritative and attempts to permanently modify agent behavior for the duration of the skill's activation.

LOW Explicit Targeting of LLM Optimization Tendencies -6

The skill's author demonstrates awareness of how LLMs operate and crafts instructions specifically to counter model training defaults: 'You are trained on efficiency. Your optimization instinct will want to complete all steps in one response. This defeats the entire purpose.' This is sophisticated prompt engineering that explicitly targets and attempts to neutralize the agent's inherent behavior patterns. In context it serves the skill's benign purpose, but the technique is the same as used in adversarial jailbreaks.

INFO Canary File Syscall Accesses — Attributed to Audit Infrastructure -7

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. These occur in two discrete clusters: one at ~1771939618 (before git clone began at ~1771939623) and one at ~1771939637 (after install completed). This timing pattern is consistent with the audit system performing its own before/after canary validation sweep, not with skill-initiated access. The canary integrity report confirms no exfiltration.

INFO Post-Install Network Connections Attributed to Audit Gateway -12

Connection diff shows openclaw-gatewa process establishing ESTABLISHED connections to 104.16.3.34:443 (Cloudflare) and 3.213.170.18:443 (AWS/EC2) and opening listeners on localhost:18790/18793 after install. This is the OpenClaw audit gateway (executor infrastructure) maintaining its operational channels, not a consequence of the skill installation. The skill consists of static markdown files incapable of spawning processes.

INFO No Executable Artifacts 0

The skill package contains only SKILL.md, REFERENCE.md, _meta.json, and .clawhub/lock.json. No code files, no package.json, no scripts, no git hooks, no submodules, and no symlinks. Zero code execution attack surface.