Is mematron/web-navigator safe?

https://github.com/openclaw/skills/tree/main/skills/mematron/web-navigator

93
SAFE

The mematron/web-navigator skill is an unpublished, incomplete template with no functional content beyond boilerplate TODO placeholders. No executable code, no prompt injection, no git hooks, no submodules, and no exfiltration vectors were found. The canary file READ events observed in monitoring are consistent with the oathe audit harness's own pre- and post-install integrity checks, not with any behavior attributable to the skill itself, and the canary integrity monitor independently confirmed no file modifications occurred.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Skill is an incomplete template with no implemented functionality -15

SKILL.md consists entirely of TODO placeholders and structural authoring guidance. No overview, no workflow, no capability description, no scripts, and no references are present. The skill cannot serve its stated purpose (web navigation) in its current state. Users installing this skill will receive no functional benefit.

INFO Canary credential files read during audit — attributable to audit harness, not skill -12

Files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json were opened and read at timestamps bracketing (not during) the skill installation. The accesses at 1771919198 predate the git clone at 1771919203. The accesses at 1771919221 occur after installation completes, during a new SSH session consistent with the harness's post-install canary integrity check. No skill code exists that could have triggered these reads. Canary integrity confirmed: all files unmodified.

INFO Single GitHub HTTPS connection during installation — expected behavior -8

The install script cloned the openclaw/skills monorepo via HTTPS from 140.82.121.4 (GitHub) and used sparse-checkout to extract only the skill's subdirectory. This is the intended install mechanism and the connection terminated cleanly. No additional C2 or data-collection endpoints were contacted.

INFO No prompt injection content detected in SKILL.md -4

The skill file contains no instructions that would alter agent behavior, override system prompts, request elevated permissions, exfiltrate data via side channels, or use obfuscation techniques (invisible unicode, HTML comments, encoded payloads). The file is structurally inert.