Is lkz4203/file-organizer safe?

https://github.com/openclaw/skills/tree/main/skills/lkz4203/file-organizer

90
SAFE

The lkz4203/file-organizer skill is an incomplete stub: SKILL.md describes a Windows PowerShell file-organizer but the referenced scripts/organize.ps1 was not distributed, making the skill non-functional. No malicious prompt injection, data exfiltration code, or hidden instructions were detected in the skill content. The .clawhub/lock.json records an unexplained dependency on academic-research-hub, and post-install networking shows openclaw-gateway connections to AWS and Cloudflare endpoints that are most plausibly platform infrastructure but warrant awareness.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 78/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

MEDIUM Referenced PowerShell script absent from installed files -12

SKILL.md instructs users and agents to execute scripts/organize.ps1 via powershell.exe, but this file was not included in the skill distribution. The installed files are limited to SKILL.md, _meta.json, and .clawhub/lock.json. Any agent following the skill's instructions will fail to locate the script. This renders the skill non-functional as distributed and may indicate an incomplete or staged publish.

LOW Undisclosed skill dependency in lock file -15

The .clawhub/lock.json file records a locked dependency on academic-research-hub v0.1.0, installed at epoch 1770957475341. This dependency is not referenced in SKILL.md and its relationship to the file-organizer skill is unexplained. Users cannot evaluate what additional code or instructions academic-research-hub injects into the agent's context when both skills are active.

LOW Post-install external TCP connections via openclaw-gateway -22

The post-install network snapshot shows the openclaw-gateway process (pid=1081) holding two ESTABLISHED connections to 54.211.197.216:443 (AWS EC2, us-east-1 region) and one to 104.16.6.34:443 (Cloudflare), none of which appear in the pre-install snapshot. These are most likely ClawHub platform telemetry or control-plane connections given the low PID, but the skill installation event is temporally proximate and cannot be fully discounted as a trigger.

INFO Canary credential files opened during audit window -8

Audit syscall logs show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened and read at timestamps 1771923603.362 (post-install). A prior batch at 1771923586.302 is clearly attributable to monitoring setup. The post-install batch at 1771923603 is most likely a monitoring system canary rescan but cannot be attributed with certainty from the evidence provided. All files were read-only (no writes) and the canary integrity check passed.

INFO Windows-only PowerShell invocation limits cross-platform utility -5

SKILL.md exclusively references powershell.exe and Windows-style paths (C:\Users\L\Downloads). On non-Windows agent environments the skill instruction is a no-op. This is a design limitation rather than a security threat, but agents on Linux or macOS may attempt to locate powershell.exe and fail in unpredictable ways depending on their tool-calling behavior.