Is luciusrockwing/autonomy-windowed safe?

https://github.com/openclaw/skills/tree/main/skills/luciusrockwing/autonomy-windowed

90
SAFE

autonomy-windowed is a pure-markdown productivity skill containing zero executable code that made only the expected GitHub clone connection during installation and left all honeypot files intact. Its security surface is entirely behavioral: it grants the agent up to 16 hours/day of unsupervised autonomous operation driven by an unvalidated markdown queue file, includes an unconditional urgent-override that bypasses all time controls, and embeds a structured two-month scope-escalation plan — none of which are disclosed as risks. The skill is not malicious but represents a significant trust grant that users should consciously evaluate before installation.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 96/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (9)

MEDIUM Urgent override bypasses all time-window controls unconditionally -10

The @priority:urgent flag instructs the agent to execute tasks immediately regardless of the configured time window, removing the temporal safety boundary the skill claims to enforce. This override applies 'even outside window' and 'overrides all other considerations', meaning any task with this tag executes at 3 AM just as readily as at noon.

MEDIUM Gradual autonomous scope expansion by design -7

The 'slowly evolve' lifecycle explicitly instructs the agent to expand from 4 sessions/day with an 8-hour window to 8 sessions/day with a 16-hour window over two months. This structured escalation pattern increases autonomous footprint without requiring explicit user re-consent at each step, normalizing a progressively larger trust grant.

LOW Financial goal bias hard-coded into task selection -5

The skill embeds a fixed financial objective ('RA's long-term goal: MONEY') into the autonomous task-selection loop and instructs the agent to update GOALS.md with monetization progress after every completed task. This pre-configures the agent's autonomous priorities without user-visible setup.

LOW Automatic context checkpointing creates persistent undisclosed records -4

The references/checkpoints.md protocol triggers automatic writes to memory/episodic/[today].md whenever conversation context exceeds 70%. These checkpoints capture human goals, expressed preferences, active file paths, and key decisions — a persistent side-channel that accumulates sensitive context without per-write user notification.

LOW Queue poisoning attack surface: QUEUE.md executed without validation -15

The heartbeat protocol reads tasks/QUEUE.md and executes the highest-priority task verbatim. No input sanitization or allowlist is applied. If an attacker gains write access to this file via any vector (compromised CI, git hook in a downstream repo, or another installed skill), they can inject @priority:urgent tasks that execute immediately at any hour without user approval.

LOW Companion skill referenced in shipped lock.json -5

The .clawhub/lock.json bundled with this skill lists [email protected] as already installed (installedAt timestamp predates this skill's publish date). This suggests the skill was authored in an environment with other skills active and hints at undocumented inter-skill dependencies that are not disclosed to the user.

INFO No executable code present 0

The skill contains only markdown documentation files. No JavaScript, TypeScript, Python, or shell scripts were found. No package.json, git hooks (.githooks/, .gitattributes filters), submodules, or symlinks pointing outside the repository were present.

INFO Only expected GitHub network connection during install 0

Network monitoring recorded a single outbound TLS connection to 140.82.114.4:443 (GitHub) for the git sparse-checkout clone. No unexpected DNS queries, no third-party beacons, and no post-install callbacks were observed. The connection diff shows no new persistent connections after install.

INFO All honeypot files intact 0

Monitoring confirmed .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json were not modified or exfiltrated. Dual-timestamp accesses observed in auditd PATH records correspond to the audit infrastructure's own pre/post canary integrity checks, not skill activity.