Is mhugo22/cheese-brain safe?

https://github.com/openclaw/skills/tree/main/skills/mhugo22/cheese-brain

79
CAUTION

Cheese Brain is a DuckDB-powered knowledge management skill with a clean SKILL.md file and a benign monitored installation — no prompt injection, no code executed during the audit's install phase, and all canary honeypot files remain intact with no exfiltration detected. The two material concerns are a supply chain risk (install instructions direct the agent to execute an unaudited external Python package via pip install -e from github.com/mhugo22/cheese-brain, which was not part of this audit) and a by-design data-aggregation risk (the skill is explicitly built to accumulate credentials, tokens, and infrastructure secrets into a single exportable DuckDB database). The skill itself is safe as delivered, but should only be installed after separately auditing the mhugo22/cheese-brain Python package and with awareness that the knowledge base it creates becomes a high-value exfiltration target.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (8)

HIGH Unaudited External Python Package Install Directive -32

SKILL.md installation instructions direct the agent to clone github.com/mhugo22/cheese-brain and execute pip install -e . on it. Python editable installs run arbitrary code via setup.py, pyproject.toml build hooks, and console_scripts entry points. This external repository is not part of this audit and was not reviewed. If the repo is compromised or maliciously authored, the agent would execute that code silently during setup. The risk is compounded because the repo owner (mhugo22) is the same party who published this skill.

MEDIUM Skill Designed to Accumulate Sensitive Infrastructure Secrets -28

The skill explicitly instructs agents to store credentials, API tokens, Telegram channel IDs, internal paths, schedules, and run commands in a local DuckDB database via a freeform JSON data field. The documentation lists 'credentials' as an expected data-field value and provides use cases like 'Query infrastructure — What's the Telegram channel ID? → integration details with tokens, config'. Over time this creates a comprehensive, machine-readable inventory of the user's private infrastructure in a single file (~/.cheese-brain/).

MEDIUM Export Feature Creates Exfiltration-Ready Full Database Dumps -10

The skill provides built-in export commands that serialize the entire knowledge base to JSON or Parquet files on disk. If an agent is manipulated (e.g., via a prompt injection in another skill or user-provided content) into executing cheese-brain export to an attacker-controlled path, or if a co-resident malicious skill reads the export file, all accumulated infrastructure secrets are available in a single portable document.

MEDIUM Single Point of Compromise for User Infrastructure Knowledge -20

By design, Cheese Brain aggregates projects, contacts, tools, workflows, decisions, credentials references, and infrastructure configuration into one queryable database. This creates a high-value target: any process that can read ~/.cheese-brain/ (or receive the output of cheese-brain export) gains a structured map of the user's entire technical environment. The risk is latent but meaningful in multi-skill agent environments where other skills may have broader filesystem or network access.

LOW Pre-existing External TLS Connection During Install Window -5

A TLS connection to 185.125.188.58:443 (Ubuntu/Canonical infrastructure, likely the snap or motd-news service) was present during the monitoring window. This was established before the skill install began and terminated naturally after. It is consistent with background system activity, not skill-induced behavior.

LOW Documentation References to Unaudited External GitHub Repository -12

SKILL.md contains multiple hyperlinks to github.com/mhugo22/cheese-brain (BACKUP_RECOVERY.md, FTS.md, PERFORMANCE_ANALYSIS.md, SECURITY.md). These are prose references and would not be auto-fetched, but an agent could be instructed to retrieve them, potentially exposing the agent to content in an unaudited repo under the skill author's control.

INFO Canary File Accesses Are Audit-Framework Baseline Checks Only 0

Filesystem monitoring recorded OPEN/ACCESS/CLOSE_NOWRITE events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at timestamps 1771904987 (pre-clone) and 1771905011 (post-install). Both correspond to the oathe audit framework's own canary verification steps. All closures are CLOSE_NOWRITE confirming no data was written or exfiltrated.

INFO Clean Sparse-Checkout Installation — Only Two Files Installed 0

The monitored install was a standard git sparse-checkout of skills/mhugo22/cheese-brain from the openclaw/skills monorepo. Only SKILL.md and _meta.json were written to /home/oc-exec/skill-under-test/. No executable content, no hooks, no submodules, no symlinks. Post-install filesystem diff confirms the two expected files only.