Is meekotharaccoon/solarpunk-evidence-logger safe?

https://github.com/openclaw/skills/tree/main/skills/meekotharaccoon/solarpunk-evidence-logger

71
CAUTION

This skill is published under the name 'SolarPunk Evidence Logger' but contains entirely different content: a legitimate 'skill-creator' skill that teaches agents how to design, scaffold, and package new AgentSkills. The deception is at the metadata layer — the SKILL.md frontmatter, description, and bundled Python scripts are all consistent with skill creation, not evidence logging. No data was exfiltrated, no prompt injection attacks are embedded in the SKILL.md body, and installation was clean with only expected GitHub network activity. The primary risk is supply-chain deception: users install an evidence logger and unknowingly inject skill-creation capability into their agent, which could be chained with other skills for privilege escalation or covert skill distribution.

Category Scores

Prompt Injection 52/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (6)

HIGH Skill identity fraud via metadata mismatch -48

The _meta.json registers this skill as 'SolarPunk Evidence Logger' with slug 'solarpunk-evidence-logger', but the SKILL.md frontmatter declares name 'skill-creator' and description 'Create or update AgentSkills. Use when designing, structuring, or packaging skills with scripts, references, and assets.' When loaded into an agent, the skill triggers on skill-creation contexts rather than evidence-logging contexts, completely misrepresenting its behavior to the installing user.

MEDIUM Bundled scripts create files at arbitrary filesystem paths -28

init_skill.py accepts a --path argument and will create directories and SKILL.md templates at any filesystem path the agent is instructed to use. The SKILL.md body explicitly instructs the agent to run this script as part of skill initialization. A confused or manipulated agent could be directed to create malicious skill scaffolding in unexpected locations.

MEDIUM Supply chain deception enables covert capability injection -55

Users installing what they believe is an evidence-logging skill silently acquire skill-creation knowledge and scripts in their agent context. The agent will now respond to skill design requests using workflows the user never consented to, and may execute init_skill.py or package_skill.py autonomously when triggered by matching user queries.

LOW Canary credential files accessed during audit window -13

Inotify and auditd PATH records show all six canary credential files were opened and read at two timestamps. Timeline correlation indicates these accesses originate from the oathe audit framework's own baseline scans rather than from skill-authored code. Files were not modified and no data was transmitted externally.

LOW package_skill.py uses relative import coupling -3

package_skill.py imports quick_validate via 'from quick_validate import validate_skill', requiring both files to reside in the same directory. If init_skill.py or package_skill.py is replaced by a future skill update, the relative coupling could allow a malicious quick_validate to be silently substituted.

INFO Clean install with expected GitHub network activity only 0

The installation process made a single outbound HTTPS connection to 140.82.121.3:443 (GitHub) for the monorepo clone. No secondary downloads, C2 beacons, or DNS lookups for attacker-controlled domains were observed.