Is mattvalenta/pls-canvas-design safe?

https://github.com/openclaw/skills/tree/main/skills/mattvalenta/pls-canvas-design

90
SAFE

The pls-canvas-design skill is a benign visual design assistant providing design philosophy descriptions and Python code examples for generating local PNG and PDF assets using PIL and FPDF. No prompt injection, data exfiltration instructions, malicious code, or suspicious runtime behaviors were detected in the skill content or during installation monitoring. Canary file accesses observed during the audit window are attributable to the audit harness lifecycle phases (pre-clone initialization and post-install integrity check) rather than any skill-driven activity, and all canary files remain intact and unmodified.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Python code examples may trigger dependency installation -10

SKILL.md contains Python code blocks using PIL (pillow) and FPDF libraries presented as illustrative generation examples. When injected into an agent's system prompt, the agent may attempt to execute this code and invoke pip install pillow or pip install fpdf to satisfy missing imports. The actual operations performed (creating local PNG/PDF files) are benign and pose no direct security risk, but unexpected package installation is worth noting.

LOW Canary file reads during audit window — attributed to audit harness, not skill -8

Six sensitive canary files were opened and read during the monitoring window: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. Critically, these accesses occurred at timestamp 1771930183 (before the git clone at 1771930189) and again at 1771930207 (post-install integrity sweep). The CLOSE_NOWRITE flag on all events confirms read-only access. The skill's SKILL.md contains no instructions referencing these paths. Canary integrity check confirms all files unmodified.

INFO Relative font path may cause agent code execution failure -5

The PIL example references ImageFont.truetype('arial.ttf', 30) using a relative path. If an agent attempts to execute this code in an environment lacking arial.ttf in the working directory, it will raise a FileNotFoundError. This is a code quality concern rather than a security risk, but could lead to repeated agent retry loops or fallback behaviors.

INFO Clean installation — only expected GitHub network activity 0

The git clone operation contacted only GitHub (140.82.121.3:443) as expected. Ubuntu/Canonical connections (91.189.91.49, 185.125.188.54) were pre-existing system activity unrelated to the skill. The post-install socket state was clean with no new listeners or persistent connections. Only two files were added to the filesystem, both within the designated skill directory.