Is lopushok9/airadar safe?

https://github.com/openclaw/skills/tree/main/skills/lopushok9/airadar

91
SAFE

The lopushok9/airadar skill is a pure markdown prompt with no executable code, no git hooks, no submodules, and no instructions that attempt to override the agent's behavior or exfiltrate data. Monitoring detected reads of canary credential files, but timing analysis shows both access clusters fall outside the install window and are consistent with the Oathe audit framework's own baseline and verification routines, not the skill itself; the canary integrity check confirms no exfiltration occurred. The only meaningful residual risk is the class-level indirect prompt injection exposure inherent to any web-research skill that fetches and ingests live external content.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 87/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (4)

LOW External URL fetching opens indirect prompt-injection surface -10

The skill's workflow explicitly instructs the agent to retrieve content from external web sources (GitHub Explore, Octoverse, news URLs). If a user is directed to a malicious or compromised page, adversarially crafted content on that page could inject follow-on instructions into the agent's context window. This is an inherent property of web-research skills, not a deliberate backdoor by the skill author.

INFO Canary files opened during audit — attributed to framework, not skill -13

Inotify and auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials were opened and read. However, both access clusters occur at timestamps that predate and postdate the install window respectively (1771927259 before git clone at 1771927264, and 1771927282 after install completion at 1771927277), consistent with the Oathe framework's own canary setup and teardown routines. No corresponding outbound network payload was observed.

INFO No executable code present -1

The skill consists solely of SKILL.md (markdown prompt) and _meta.json (metadata). No scripts, binaries, npm packages, git hooks, submodules, or symlinks were introduced.

INFO Research skill inherits standard web-browsing risk profile -17

When active, this skill will cause the agent to browse public web sources (GitHub, tech news). Content from those sources enters the agent's context and could theoretically carry injected instructions. This risk is low given mainstream sources but non-zero for user-supplied or obscure URLs.