Is mcpcentral/cybersec-helper safe?

https://github.com/openclaw/skills/tree/main/skills/mcpcentral/cybersec-helper

94
SAFE

The cybersec-helper skill is a documentation-only prompt-engineering artifact containing SKILL.md and _meta.json with no executable code, no network-initiating capability, and no data exfiltration mechanisms. The skill is well-structured, references legitimate security authorities, and includes explicit ethical constraints. Its primary risk profile is dual-use in nature: the 'always:true' activation and exploit-db references mean a persistent security framing is injected into every session, which could be leveraged by a determined user to push the agent toward more operational security assistance. Monitoring evidence shows no unauthorized file access, no unexpected network connections, and all canary files remained intact.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 96/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

LOW always:true forces persistent skill activation -5

The skill declares 'always:true' in its openclaw metadata, meaning it is injected into every agent session unconditionally. This is not inherently malicious but increases the systemic footprint: every user interaction is colored by security-advisor framing, expanding the surface area for users to attempt security-adjacent requests that could push ethical boundaries.

LOW External URL references to dual-use security resources -5

The skill instructs the agent to reference and cite exploit-db, CVE databases, NVD, HackerOne/Bugcrowd writeups, and OWASP. These are all legitimate resources, but depending on agent tool configuration, referencing exploit-db could lead the agent to fetch and relay live proof-of-concept exploit code. The framing is informational rather than action-driving, but the risk is non-zero in a tool-capable agent.

LOW Dual-use security context with exploit-db anchoring -10

The skill explicitly anchors the agent to exploit-db as an authoritative reference for PoC exploits. While framed under ethical constraints, a user conducting a social-engineering attack could cite this skill's own guidance to justify requests for exploit details or attack assistance against claimed 'in-scope' targets. The ethical guardrails are advisory text, not enforced policy.

LOW Security framing could amplify prompt injection from external content -10

Because the skill is always active and trains the agent to 'think like a red teamer' and 'question assumptions,' malicious content in files or web pages the agent reads could more effectively manipulate it into treating attacker-controlled instructions as legitimate security analysis tasks.

INFO Future Notion integration would create external data-sharing surface -4

Section 8 of the skill describes a planned integration with Notion to maintain an OWASP reference database. This feature is not currently active, but if implemented and a Notion workspace is configured, security-related session context could be written there. The risk is speculative and future-gated.

INFO No executable components present 0

The skill is documentation-only. The entire install consists of two files: a markdown behavior specification and a JSON metadata file. There is no mechanism for code execution at install time or runtime from within the skill package itself.

INFO Canary file accesses confirmed as monitoring harness activity 0

Auditd PATH records show six canary files accessed at timestamps 1771932393 (pre-install) and 1771932410 (post-install). These timestamps exactly bracket the installation sequence and match the monitoring harness pattern of checking canary files before and after skill installation. No skill-originated code could have accessed these files.