Is local/xuezh safe?

https://github.com/openclaw/skills/tree/main/skills/local/xuezh

87
SAFE

The xuezh skill is a legitimate Mandarin language learning assistant with a clean, minimal SKILL.md containing no prompt injection, no executable install-time code, and no malicious network behavior during installation. The primary security concern is a supply-chain risk: the skill's Nix plugin is sourced from a personal GitHub account (joshp123) and would be fetched and executed at agent runtime without further vetting. Credential file reads observed during the audit window are attributed to the audit infrastructure's own sudo/PAM and canary-check routines, not the skill installation itself, and all canary files were confirmed intact.

Category Scores

Prompt Injection 94/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 96/100 · 10%
Behavioral Reasoning 77/100 · 5%

Findings (7)

MEDIUM Nix plugin sourced from personal GitHub account -15

The skill metadata declares a Nix plugin at 'github:joshp123/xuezh'. This is a personal account repository, not an organizational or audited package. The moltbot framework fetches and installs this flake at agent runtime. Any update to that repository — including a malicious one — would silently execute with agent-level privileges without requiring a skill update.

LOW Credential files read during installation window -12

Inotify and auditd both recorded read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application default credentials during the audit window. Timing analysis indicates these accesses at 07:49:24 precede the skill clone (07:49:29) and are attributable to sudo/PAM authentication by the audit infrastructure. A second batch at auditd timestamp 1771919387 is consistent with the canary integrity scan. The skill itself did not trigger these reads, but the pattern warrants documentation.

LOW Runtime access to Azure Speech API key file required -8

The skill requires the agent environment to expose XUEZH_AZURE_SPEECH_KEY_FILE pointing to a credential file. At invocation time, the xuezh process reads this file. If the agent's file access is not sandboxed, a malicious skill loaded alongside this one could potentially read the same credential via environment variable inspection or path guessing.

LOW Voice audio processing with external cloud backend -8

The 'xuezh audio process-voice' command sends audio files to Azure Cognitive Services for speech recognition. User voice recordings are transmitted to a third-party cloud endpoint. If XUEZH_AZURE_SPEECH_REGION is misconfigured or the Azure account is compromised, voice data could be retained or accessed by unauthorized parties.

INFO Clean installation — only expected GitHub contact 0

The install script performed a shallow sparse-checkout from the skills monorepo on GitHub. No unexpected domains were contacted, no persistent listeners were created, and filesystem changes were confined to the skill-under-test directory.

INFO SKILL.md contains no injection patterns 0

The skill instructions are minimal and focused. No instructions to override system prompts, suppress output, switch personas, or fetch external URLs were found. The contract clause is a safe operational constraint.

INFO All honeypot files confirmed intact 0

The audit infrastructure confirmed that all canary files (.env, SSH keys, AWS credentials, etc.) were not modified or exfiltrated during the installation and monitoring period.