Is lxgicstudios/code-explainer safe?

https://github.com/openclaw/skills/tree/main/skills/lxgicstudios/code-explainer

91
SAFE

The lxgicstudios/code-explainer skill is a documentation-only package with no executable code, no install hooks, no prompt injection, and no malicious instructions. The SKILL.md is clean marketing copy for a CLI tool. The sole security-relevant concern is architectural: the skill promotes npx ai-explain, which by design transmits source file contents to an undisclosed external AI service — a behavior that is disclosed in the documentation but may expose sensitive proprietary code if invoked autonomously by an agent. All canary honeypots remained intact and no exfiltration was detected during installation.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

LOW Promoted tool sends source code to undisclosed external AI endpoint -20

The SKILL.md documents that npx ai-explain reads source files from disk and transmits their full contents to an AI model API. This is the intended, disclosed functionality. However, the specific service endpoint receiving the code is not named, users cannot assess its data retention or privacy posture, and an LLM agent operating autonomously may invoke this on sensitive or proprietary code without explicit user awareness.

LOW Runtime npm package (ai-explain) is unaudited and downloaded at execution time -22

The skill instructs the agent to run npx ai-explain, which resolves and executes a third-party npm package at runtime. The integrity, behavior, and update history of that package are not covered by this skill audit. A compromised or malicious update to the ai-explain npm package could introduce code execution or data exfiltration risks that would not be visible in the SKILL.md content.

INFO Pre-existing Ubuntu/Canonical connections in baseline not related to skill -10

Two established TLS connections to Canonical/Ubuntu infrastructure (185.125.188.58, 185.125.190.17) were present in the BEFORE snapshot and absent in the AFTER snapshot. These connections closed during the audit window but are consistent with normal Ubuntu system update activity and are unrelated to the skill installation.

INFO Canary file access events attributed to monitoring framework, not skill 0

Inotifywait and auditd recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 13:39:50 (6 seconds before the install script launched) and at 13:39:56 (.ssh/authorized_keys, consistent with sshd authentication). The pre-install accesses are consistent with the oathe framework initializing and hashing honeypot files. All canary files confirmed intact by integrity check.

INFO Marketing links to external domains present in SKILL.md -3

The skill includes links to github.com/LXGIC-Studios, x.com/lxgicstudios, lxgicstudios.substack.com, and lxgic.dev. These are benign marketing links but represent external domains that an agent with web browsing capability could visit if it misinterprets the SKILL.md as instructions rather than documentation.