Is mdealiaga/openpet safe?

https://github.com/openclaw/skills/tree/main/skills/mdealiaga/openpet

83
SAFE

OpenPet is a Tamagotchi-style virtual pet skill that appears functionally benign — its SKILL.md contains no prompt injection, no instructions to read sensitive files, and no executable code. The primary concerns are a cron job persistence instruction that would create a recurring host-level scheduled task outside normal user sessions, and collection of cross-platform user identifiers (Discord IDs, phone numbers, Signal UUIDs) that accumulates a PII database over time. Canary file reads observed during the audit correlate with the Oathe monitoring framework's own pre/post baseline scans rather than skill-triggered activity.

Category Scores

Prompt Injection 84/100 · 30%
Data Exfiltration 84/100 · 25%
Code Execution 79/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 91/100 · 10%
Behavioral Reasoning 76/100 · 5%

Findings (6)

MEDIUM Cron Job Persistence Instruction -21

SKILL.md instructs the agent to 'Set up cron job openpet-tick every 2 hours'. This directs the agent to create a persistent host-level scheduled task that would run independently of user sessions, writing pet state files and sending platform alerts on a recurring basis. Persistence mechanisms are atypical for game skills and expand the skill's blast radius significantly.

MEDIUM Cross-Platform User Identity Aggregation -16

The skill instructs the agent to extract and persistently store platform-specific user identifiers (Discord userId, WhatsApp phoneNumber, Telegram chatId, Signal UUID) paired with display names in JSON files. Over time this builds a cross-platform identity database. While serving the game's multi-user functionality, this scope of PII collection is broader than necessary and the stored data would be valuable to an attacker with filesystem read access.

LOW Unsolicited Agent Messaging to Users -14

The Alerts section instructs the agent to proactively send messages to users on their origin platform when pet stats hit thresholds. This means the agent sends user-visible messages autonomously, triggered by the cron job rather than a user request. This creates an unsolicited outbound communication channel.

LOW Implicit Elevated Permission Request -10

The skill requests cron job creation and cross-platform messaging access without declaring these in its description or README. The description claims 'Virtual pet game for chat platforms' but the implementation requires system scheduler access and platform API write capabilities — permissions substantially broader than the stated purpose.

INFO Canary Files Read by Audit Framework (Not Skill) 0

Filesystem monitoring recorded read-only accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials. Correlation with auditd event timing (accesses at events 259-264, immediately after auditctl initialization at event 233; and at events 1446-1451 post-install) strongly indicates these are Oathe's own pre/post baseline integrity checks. The skill contains no executable code capable of triggering these reads, and no outbound data transfer followed the accesses.

INFO Clean Single-Endpoint Installation 0

The git clone operation connected only to GitHub (140.82.121.3:443) as expected. No additional endpoints were contacted, no new persistent listeners were established, and the DNS resolution was limited to GitHub infrastructure. Post-install connection state is identical to pre-install minus the completed clone connections.