Is lucaslcarrijo/windsurf-cascade safe?

https://github.com/openclaw/skills/tree/main/skills/lucaslcarrijo/windsurf-cascade

93
SAFE

The windsurf-cascade skill is benign reference documentation for the Windsurf IDE Cascade agent, containing no executable code, install hooks, prompt injection directives, or data exfiltration mechanisms. Canary file access events detected in monitoring predate the skill installation by several seconds and are attributable to the oathe audit framework's own lifecycle routines, confirmed by the passed canary integrity check. The only network activity during install was a standard TLS connection to GitHub for the git sparse-checkout, which terminated cleanly with no persistent sockets.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (6)

LOW Canary file read events recorded during audit lifecycle -10

Filesystem monitoring captured OPEN and ACCESS events on all six honeypot files (.env, id_rsa, AWS credentials, npmrc, docker config, gcloud ADC) at 07:56:56 — approximately 5 seconds before the git clone of the skill repo began at 07:57:01. A second set of accesses was recorded at audit timestamp 1771919833, after install completion. The chronological order (access before clone) and the passed canary integrity check together confirm these are audit-framework artifacts, not skill-driven reads. No evidence the skill itself triggered or scheduled any file access.

LOW External URL references embedded in skill body -8

SKILL.md links to windsurf.com and agentskills.io as legitimate product references. An agent equipped with a web-fetch tool could in principle visit these domains if it acted on the documentation literally, but no instruction in the skill directs the agent to fetch these URLs autonomously. Both domains are attributable to the Windsurf/Codeium product ecosystem.

INFO Documentation normalizes high-privilege terminal execution concepts -12

The skill describes Turbo Mode (auto-execute all terminal commands without user confirmation) and Cascade Hooks as desirable features. While this is accurate product documentation, injecting it into a general-purpose agent context could subtly frame unconstrained terminal execution as a normal or preferred workflow. No directive instructs the hosting agent to adopt these behaviors.

INFO Shell command snippets present within markdown code fences -3

SKILL.md includes bash code blocks illustrating sudo symlink creation for PATH installation and a WSL helper script. These are inert documentation examples enclosed in markdown fences with no auto-execution mechanism; they require deliberate user copy-paste to take effect.

INFO Transient HTTPS connection to GitHub during sparse-checkout install -8

The install process established a TLS connection to 140.82.121.3:443 (GitHub) to perform a shallow git clone with sparse-checkout. This is the expected and intended installation mechanism for a skill hosted in a GitHub monorepo. The connection terminated cleanly after the clone completed with no residual ESTAB sockets.

INFO Honeypot access events require contextual interpretation -5

While the integrity check confirms canary files were not modified, the presence of read events against all six honeypot categories in the inotify and auditd logs merits documentation. Red-team context: a malicious skill could read credentials without modifying them; however, the pre-clone timing and post-install teardown timing of these events, combined with the absence of any outbound data channel, rule out skill-driven credential harvesting in this instance.