Is liuwujijay/agi-terminal-helper safe?

https://github.com/openclaw/skills/tree/main/skills/liuwujijay/agi-terminal-helper

94
SAFE

The liuwujijay/agi-terminal-helper skill is a well-structured runbook for safe terminal use within the OpenClaw exec environment. The SKILL.md contains no executable code, no prompt injection patterns, no data exfiltration mechanisms, and promotes pro-safety behaviors (sandbox-first, explicit confirmation before destructive operations). The only noteworthy finding is the presence of AI-generated citation artifacts (':contentReference[oaicite:N]') that indicate the content was produced by a web-browsing LLM — these are benign but unusual. All monitoring data (filesystem, network, process, canary integrity) is consistent with a clean, safe skill.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (3)

LOW AI-generated citation artifacts in SKILL.md -10

The skill contains 12+ ':contentReference[oaicite:N]{index=N}' markers throughout the document. These are produced by ChatGPT with web browsing enabled and indicate the content was AI-generated with unresolvable inline citations. While they pose no direct injection or exfiltration risk in tested environments, they are atypical for a manually authored skill and could produce confusing behavior in LLMs that attempt to resolve citation syntax.

INFO Pre-existing Ubuntu CDN connections at time of monitoring -7

Two established TLS connections to 185.125.188.59:443 (Canonical Ubuntu CDN, used for motd-news and related services) were present at the start of the audit window. These are standard Ubuntu OS background connections unrelated to the skill and were gone by the post-install connection diff.

INFO Credential files accessed during audit window (audit infrastructure reads) -5

Sensitive credential files were opened at auditd timestamps 1771940581.326 (audit IDs 268-273) and 1771940599.703 (audit IDs 1413-1418). Correlation with the EXECVE trace shows these reads occurred before the git clone started (at 1771940586.845) and after the final inspection phase completed — timing consistent with the Oathe audit framework's own canary baseline and post-install integrity comparison. Canary integrity monitor confirms no exfiltration occurred.