Is luweiliao/ardupilot safe?

https://github.com/openclaw/skills/tree/main/skills/luweiliao/ardupilot

93
SAFE

The luweiliao/ardupilot skill is legitimate ArduPilot drone control documentation written in Chinese, providing pymavlink code examples for connecting to and commanding ArduPilot flight controllers. No prompt injection, data exfiltration, malicious auto-executing code, or suspicious install-time behavior was detected across any monitoring dimension. The sole notable concern is an operational physical safety issue: the skill explicitly documents a force-arm magic value (21196) that bypasses ArduPilot's pre-arm safety interlocks, which could enable unsafe drone operations if this skill were deployed in an agent environment with direct drone hardware access.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

MEDIUM Force-arm magic value documents safety interlock bypass -22

SKILL.md explicitly documents ArduPilot's force-arm parameter (param2=21196 in MAV_CMD_COMPONENT_ARM_DISARM), labeling it a 'magic value' that bypasses pre-arm safety checks such as GPS lock, level calibration, and mode readiness. An agent operating in a drone-connected environment could use this to arm and launch hardware without satisfying safety conditions, posing real-world physical risk. The skill also advises sending ARM, GUIDED, and TAKEOFF commands without waiting for acknowledgment, compounding the safety bypass.

LOW Manual pip dependency not auto-executed but agent may self-install -10

The skill's dependency section instructs 'pip install pymavlink'. While this is not triggered at install time (no setup scripts found), an agent with shell access that reads the skill and prepares its environment may execute this pip command unprompted, potentially altering the Python environment on the host system.

INFO openclaw-gateway new persistent external connections post-install -7

After installation, the openclaw-gateway process (pid=1086) established two persistent TCP connections to 98.83.99.233:443 and new local listeners on ports 18790/18793. These are attributable to the OpenClaw platform control plane rather than the skill itself. No skill-authored code ran at install time.

INFO Canary honeypot files accessed by monitoring infrastructure (expected) -5

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at two points: before install (1771924979.469) and after install (1771925001.891). Both access clusters occur at identical sub-millisecond timestamps for all six files, consistent with scripted monitoring checks rather than targeted credential harvesting. The monitoring system confirmed all files remained intact.

INFO No prompt injection patterns detected -4

Full review of SKILL.md found no attempts to manipulate agent behavior: no 'ignore previous instructions', no invisible characters, no role-switching directives, no encoded instructions, no URLs to fetch. The skill is entirely technical documentation for drone control.