Is madsmith/wekan-openclaw-skill safe?

https://github.com/openclaw/skills/tree/main/skills/madsmith/wekan-openclaw-skill

85
SAFE

The wekan-openclaw-skill is a legitimate WeKan board management skill with clean, non-adversarial SKILL.md content, no direct data exfiltration instructions, and a well-behaved install process that only contacted the official openclaw GitHub monorepo. The sole meaningful risk is a supply chain vulnerability: the CLI dependency is fetched directly from an unversioned personal GitHub repository with no commit hash pinning, meaning any future malicious commit or account compromise would deliver attacker code to all subsequent installations. The skill content itself passed all injection, canary, and behavioral checks.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (6)

HIGH Unversioned External Dependency from Personal GitHub Repository -35

The skill install metadata specifies the CLI tool as 'wekan-cli @ git+https://github.com/madsmith/wekan_cli.git' with no commit hash pin, no version tag, and no integrity verification. Any commit pushed to the madsmith/wekan_cli default branch will be fetched and executed as Python code when a user installs or updates this skill. Account compromise or intentional malicious push to that repo would silently deliver attacker-controlled code to all installing users.

MEDIUM CLI Tool Installed from Unaudited Source Could Exfiltrate Credentials at Runtime -20

Because wekancli is installed from an unversioned personal GitHub repo rather than a pinned PyPI release, the installed binary could contain data exfiltration logic that activates when the agent invokes any wekancli command. The WEKAN_TOKEN, WEKAN_URL, and any data visible to the agent at runtime would be available to such code. The skill content itself is clean; this risk is embodied in the install supply chain.

LOW Credential Scope: WEKAN_TOKEN Persists in Environment -22

The skill declares WEKAN_TOKEN as a required environment variable. This token grants persistent authenticated access to the WeKan instance for the lifetime of the agent session. If the CLI tool is ever compromised via the supply chain vector above, the attacker would inherit full access to the board server under the configured identity.

INFO SKILL.md Content Is Clean — No Adversarial Instructions 0

Complete review of SKILL.md and all reference files found only legitimate WeKan CLI documentation. No instruction override, persona change, output suppression, hidden unicode, or chaining instructions detected.

INFO Install Process Behaved As Expected 0

The skill installation used a minimal git sparse-checkout from the official openclaw/skills monorepo, copied only the skill subdirectory, and cleaned up the temporary clone. No unexpected network destinations, process spawning, or out-of-scope filesystem writes were observed.

INFO Canary Files Intact — No Runtime Exfiltration Detected 0

All honeypot credential files were confirmed intact. Sensitive file open events in auditd predate the skill clone and match the audit framework's own canary setup and teardown timing, not skill-initiated reads.