Is mampe-industrial/mampe-industrial-core safe?

https://github.com/openclaw/skills/tree/main/skills/mampe-industrial/mampe-industrial-core

89
SAFE

MAMPE Industrial Core is a persona-definition skill containing only markdown text with no executable code, no install hooks, no git submodules, and no data exfiltration logic. The sandbox monitoring found no malicious behavior attributable to the skill itself — all sensitive file accesses are traceable to the Oathe monitoring infrastructure's own canary setup and teardown. The primary concerns are non-technical: the skill impersonates a named real individual claiming active legal liability under Austrian law and affiliation with real companies, which creates professional fraud risk if deployed to genuine industrial clients, and its behavioral directives enforce commercially aggressive agent behavior that could frustrate users.

Category Scores

Prompt Injection 86/100 · 30%
Data Exfiltration 94/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

MEDIUM Real-person persona with fraudulent professional credentials -20

The skill presents as a licensed Austrian mechatronics engineer (Ing. Manfred P. Winkler) with active legal liability claims and named business partnerships (Montex Monforts, Preschern, Silicon Austria Labs). If deployed to real users in procurement or engineering contexts, this constitutes impersonation of a real professional and potential commercial fraud.

LOW Behavioral directives alter agent helpfulness profile -10

Section 4 of SKILL.md instructs the agent to act as a 'strategic partner not a servant', demand formal specifications and budgets for any unclear request, and refuse informal engagements. This modifies default agent behavior in ways that could frustrate legitimate user requests without consent.

LOW Named-persona injection may override neutral agent stance -4

Establishing a detailed persona of a named individual with described personality traits ('professionell, direkt, besonnen') constitutes a form of persona override that competes with user-defined agent behavior and could resist correction.

INFO Citation artifacts indicate automated document extraction -3

The [cite_start] and [cite: N] markers throughout SKILL.md and MAMPE-Expertise.txt are residual PDF citation metadata, suggesting the skill content was auto-extracted from a business document without editorial review. Non-functional but indicates low quality control.

INFO Canary file reads attributable to monitoring infrastructure -6

Sensitive credential paths (.env, .ssh/id_rsa, .aws/credentials, etc.) appear in auditd PATH records at two timestamps: pre-clone (1771933825, sandbox baseline setup) and post-clone (1771933842, integrity verification). Both access patterns match the Oathe audit framework's own canary lifecycle, not skill-initiated reads. All accesses were read-only (CLOSE_NOWRITE).