Is manecharo/chaos-pivot safe?

https://github.com/openclaw/skills/tree/main/skills/manecharo/chaos-pivot

94
SAFE

The chaos-pivot skill is a pure Markdown reasoning framework with no executable code, no network-calling instructions, no sensitive file access directives, and no prompt injection attempts. All canary files remained intact, clone behavior was normal, and all network activity during installation is attributable to GitHub's git transport and the audit platform's own infrastructure. The only notable concerns are minor design trade-offs: broad trigger heuristics that could cause false-positive activations, and optional opacity in internal reasoning chains — both consistent with benign intent and standard chain-of-thought methodology.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 97/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Broad trigger conditions may cause false-positive activation -5

The skill's activation criteria include 'more steps than reasonably expected for a task of this scope' with no precise threshold. This vague heuristic could cause the skill to interrupt legitimate, multi-step tasks by declaring them stuck, potentially overriding user-intended workflows.

LOW Internal reasoning phases default to hidden from user -3

The DEAD END DECLARATION step instructs the agent to produce reasoning it 'does not need to show to the user.' While this is standard chain-of-thought practice, it represents a mild reduction in transparency that a cautious user should be aware of.

INFO Post-install connections from openclaw-gateway to 98.83.99.233:443 -8

Two established TCP connections from the openclaw-gateway process (the audit platform itself) to 98.83.99.233:443 appear in the post-install network state. These are attributable to the audit infrastructure, not to the skill, as the skill contains no network-calling code.

INFO Post-install canary file reads noted but files unmodified -5

Credential-path files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at audit(1771916108.523) after skill installation. These reads are consistent with the audit framework's post-install canary integrity verification pass. All files confirmed intact.

INFO Mandatory stop directive could disrupt valid in-progress tasks -12

When trigger conditions are met, the skill instructs the agent to 'do not take one more step on the current approach. Stop completely.' If the trigger fires incorrectly during a legitimate task, the agent will abandon valid work. This is a design risk, not a security risk.