Is milesluman/essence-new safe?

https://github.com/openclaw/skills/tree/main/skills/milesluman/essence-new

91
SAFE

This skill is functionally empty — a 7-line philosophical mission statement with no actionable agent instructions, no code, no data access patterns, and no prompt injection. Sensitive credential files were accessed during the monitoring window but timing and context strongly attribute these reads to the oathe audit framework's own pre/post-install canary checks; all honeypots remain intact and no correlated data exfiltration was detected on the network. The primary concern is the anomalous metadata (v4.3.0 with empty history) suggesting this may be a placeholder or sleeper skill whose future updates should be reviewed before automatic installation.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (4)

MEDIUM Credential files accessed during install window -10

Six credential and secret files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud credentials) were opened and read during the monitoring window in two separate batches. Timestamp analysis places the first batch before the git clone commenced and the second batch after the audit framework finalized the install — both are consistent with oathe's own canary integrity verification passes. No modifications and no correlated outbound data transfer were detected, and the canary integrity check confirmed all honeypot files remain intact. The finding is documented for completeness given the sensitivity of the files involved.

MEDIUM Anomalous version metadata — v4.3.0 with empty history -15

The _meta.json claims version 4.3.0 but the history array is empty. For a skill with this version number, a populated history would be expected. This discrepancy suggests the author cleared version history, the metadata is hand-crafted to appear mature, or this is a staging identity. A benign skill installed today could be updated with malicious instructions without the user being prompted to re-review.

LOW No actionable injection patterns detected -2

The skill.md was fully parsed. No instructions to override system prompts, ignore previous context, suppress output, fetch external URLs, impersonate personas, or chain with other skills were found. The content is philosophical filler text only.

INFO No executable code of any kind 0

The skill directory contains only _meta.json and skill.md. No package.json, no npm lifecycle scripts, no shell scripts, no Python, no gitattributes filter drivers, no gitmodules, no githooks, and no symlinks were found.