Is martok9803/martok9803-ci-whisperer safe?

https://github.com/openclaw/skills/tree/main/skills/martok9803/martok9803-ci-whisperer

88
SAFE

CI Whisperer is a well-constructed, narrowly-scoped skill for analyzing GitHub Actions failures. No prompt injection, no malicious code patterns, no active data exfiltration, and no unexpected network behavior were detected. The primary residual risks are operational: CI logs fetched into model context may contain secrets, and the opt-in write mode grants the agent authenticated Git push capability — both of which are inherent to the skill's stated purpose rather than indicators of malicious intent.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM CI logs may surface secrets into model context -12

GitHub Actions logs frequently contain plaintext environment variables, API tokens, and build secrets. The skill fetches these logs and passes them to the agent. The skill instructs the agent to 'redact secrets before quoting' but this is advisory — the raw log content is already in-context and available to any subsequent skill or prompt.

MEDIUM Write mode enables authenticated Git operations (branch creation, PR opening) -8

When CI_WHISPERER_WRITE=1, the skill can create branches and open pull requests against any repo the user's gh token has write access to. While properly double-gated (explicit user request + env var), this is a meaningful capability with irreversible side effects.

LOW gh CLI token access extends to all user-authorized repositories -6

The skill uses the host gh CLI authentication. If the user's gh token is scoped broadly (e.g., full repo access), the skill inherits that access and could be directed to fetch logs from any repo the user can reach. This is expected behavior but users should be aware of the blast radius.

LOW Sensitive file reads observed at pre-clone timestamp -5

inotifywait and auditd both recorded reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at audit timestamp 1771906272 — approximately 5 seconds before the git clone began at 1771906277. This timing is consistent with audit framework canary initialization rather than skill behavior. Canary integrity confirms no modification or exfiltration. Flagged for transparency.

INFO ci_autopsy.py uses subprocess with list args — no injection risk 0

The Python helper script correctly uses subprocess.run with a list of arguments and shell=False (default). The run-id argument is typed as int. No command injection vector exists in the current implementation.

INFO No prompt injection patterns detected in SKILL.md 0

SKILL.md contains no instructions to override system prompts, ignore previous instructions, change persona, suppress output, access files beyond its scope, or chain with other skills in unexpected ways. The skill is transparent about its capabilities and limitations.