Is luna825/hello-demo safe?

https://github.com/openclaw/skills/tree/main/skills/luna825/hello-demo

95
SAFE

hello-openclaw is a genuine demo skill with no malicious behavior. The SKILL.md contains only safe instructional content, the Python script performs no sensitive operations beyond printing the working directory, and all network activity during installation is attributable to GitHub (git clone) and pre-existing Ubuntu infrastructure. Sensitive credential file accesses visible in monitoring are exclusively from the audit framework's canary setup and verification phases, confirmed by the all-intact canary integrity result.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (4)

INFO Python script prints working directory -10

scripts/test.py calls os.getcwd() and prints the result, disclosing the agent's current working directory in output. No file I/O, network calls, or sensitive data access occurs.

INFO Canary file accesses from audit framework only -5

Sensitive credential files were accessed during monitoring, but timing analysis confirms these accesses occurred during audit framework canary setup (pre-clone) and post-install verification, not from any skill code. Canary integrity check confirms all files are unmodified.

INFO Script execution instruction in SKILL.md -3

SKILL.md openly instructs the agent to run python scripts/test.py as an example. This is transparent and the script is benign, but any agent-facing execute instruction is worth noting.

INFO Network activity during install limited to expected infrastructure -3

GitHub (git clone) and Ubuntu/Canonical (background system update checks pre-existing before skill install) account for all observed network connections. No unexpected outbound destinations.