Is loveyana/volcengine-agent-identity safe?

https://github.com/openclaw/skills/tree/main/skills/loveyana/volcengine-agent-identity

86
SAFE

The volcengine-agent-identity skill is a documentation-only prompt package (SKILL.md + _meta.json) with no executable code, no install hooks, no git submodules, and a clean install that contacted only GitHub. No prompt injection, hidden instructions, or canary exfiltration was detected. The primary concerns are design-level: the returnValue parameter can expose raw OAuth tokens and API keys in the agent's context window, identity_set_binding silently falls back to importing process.env variables, and the skill's security ultimately depends on the trustworthiness of the opaque Volcengine backend plugin that handles all credential operations.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

MEDIUM returnValue: true returns raw credential into agent context -15

The identity_fetch tool documents an optional returnValue boolean that, when true, includes the raw credential string (OAuth access token or API key) in the tool response for 'same-turn automation.' This places live secrets directly into the agent's context window. They can then appear in conversation transcripts, audit logs, be leaked in agent output to the user, or be consumed by other skills in a multi-skill chain without additional user consent.

LOW identity_set_binding silently imports process.env variable as credential fallback -7

When binding a credential provider to an env var and no stored credential exists, the plugin automatically imports the current value of process.env[envVar] as an api_key credential. This silent fallback can expose environment variables to the plugin's credential store without the user explicitly supplying a secret, and without a visible confirmation step in the documented flow.

LOW Agent instructed to bypass user-facing slash commands for credential operations -10

The SKILL.md explicitly tells the agent to invoke identity tools directly for login, credential fetch, status, and env-binding actions rather than surfacing slash commands to the user. This reduces the user's ability to observe that credential operations are occurring and to provide informed consent at each step.

LOW Opaque Volcengine backend is the actual trust surface -15

SKILL.md is a thin prompt wrapper; all 12 identity tools (identity_login, identity_fetch, identity_status, identity_set_binding, identity_approve_tool, etc.) route their execution to the closed-source Volcengine agent-identity plugin. The security posture of credential storage, OIDC session handling, TIP token issuance, and AuthZ decisions depends entirely on that backend, which cannot be evaluated from this audit.

LOW Broad bilingual activation triggers may cause unexpected engagement -10

The skill's description activates for a wide range of Chinese and English user phrases covering login, status, credentials, API key configuration, env binding, tool approval, and risk checking. This surface area may cause the skill to engage on loosely related queries, potentially initiating credential flows without explicit user intent.

INFO Canary files read READ-only twice — attributed to audit framework, not skill 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud ADC) were opened and read at 04:40:25 (before install) and 04:40:48 (after install). Because the skill has zero executable code and the identical access pattern precedes the git clone, these events are consistent with the oathe audit framework creating and verifying canary files at session start and post-install checkpoint. No write events or exfiltration to external IPs was observed. Canary integrity check confirmed all files unmodified.

INFO No executable code present — documentation-only skill 0

The skill package consists exclusively of SKILL.md (agent prompt) and _meta.json (registry metadata). No package.json with scripts, no npm hooks, no shell scripts, no compiled artifacts, no git submodules, no .gitattributes smudge filters, and no symlinks were found.

INFO Install connected only to GitHub — no unexpected network activity 0

The sparse-checkout install made a single outbound TLS connection to github.com (140.82.121.3:443) to fetch the skills monorepo and extract the skill subpath. DNS resolution was local. No other external IPs were contacted. No new listening ports or persistent connections were established after install.