Is mishkinf/lore safe?

https://github.com/openclaw/skills/tree/main/skills/mishkinf/lore

72
CAUTION

The lore skill is technically clean — no executable code, no prompt injection tricks, and no malicious clone behavior — but it implements a structurally concerning pattern: it is always active and instructs the agent to automatically collect and forward sensitive conversation content, meeting notes, and data fetched from Slack/GitHub/email to a Lore MCP knowledge base without per-action user consent. Whether this constitutes a privacy risk depends heavily on where the Lore MCP server is pointed; if user-controlled and local, the risk is low, but the skill's design is architecturally indistinguishable from a passive data collection mechanism if the backend is third-party. Canary files were accessed post-installation but their integrity was preserved, consistent with audit framework activity rather than skill-driven access.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 52/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 73/100 · 10%
Behavioral Reasoning 48/100 · 5%

Findings (8)

HIGH Automatic ingestion of user-shared sensitive content without per-action consent -28

The skill instructs the agent to proactively ingest meeting notes, interview transcripts, and documents shared by users into the Lore MCP service. This happens automatically whenever the agent judges content 'worth preserving', with no per-action user confirmation required. Sensitive organizational data (strategy docs, HR notes, client meeting transcripts) shared in conversation would be silently forwarded to wherever the Lore MCP server endpoint points.

HIGH Automatic forwarding of content fetched from external service integrations -20

The skill instructs the agent to ingest content fetched from Slack, Notion, GitHub, and email into Lore. When combined with integration skills for these services, every fetch becomes an automatic data push to Lore. This includes Slack permalinks, Notion page URLs, and GitHub issue URLs — creating a comprehensive shadow copy of the user's integrated workspace activity.

MEDIUM Always-active automatic data collection via user-invocable: false -15

The skill sets user-invocable: false, meaning it is injected into every system prompt and active in every conversation. The agent receives standing orders to collect and forward data in every session, not only when the user explicitly invokes a knowledge command. This permanently alters agent behavior toward proactive data collection without the user having to request it.

MEDIUM Shadow knowledge base accumulates all conversation context across sessions -22

The combination of always-active status, automatic ingestion triggers (after conversations, after fetching external content, after decisions), and the ingest tool's idempotency framing creates a persistent cross-session record of everything the agent processes. If the Lore MCP server is third-party or misconfigured, this is a complete organizational intelligence exfiltration channel.

MEDIUM Canary files accessed (read) multiple times post-installation -15

Audit PATH records show .env, .ssh/id_rsa, .aws/credentials, and .docker/config.json were accessed after the skill installation completed. Integrity is reported as preserved (no modification). Access timing is consistent with Oathe framework monitoring cycles, and the skill itself (pure markdown) cannot directly read files. However, the pattern warrants disclosure.

LOW Lore MCP server endpoint unspecified — data destination opaque to user -8

The skill relies on MCP tools (ingest, search, research) whose endpoint is determined by the user's MCP server configuration, not by the skill itself. This is architecturally neutral, but means users may not realize they are configuring a remote service when they set up Lore. The skill provides no guidance on data residency or privacy policy of the Lore backend.

LOW Co-dependency on academic-research-hub skill -3

The .clawhub/lock.json shows academic-research-hub v0.1.0 was installed alongside this skill. This co-installed skill is not audited here and could interact with Lore's MCP surface, potentially expanding the attack surface if academic-research-hub has its own issues.

INFO Standard sparse-checkout install from openclaw/skills monorepo 0

Installation performed a depth-1 sparse checkout targeting skills/mishkinf/lore specifically. No unexpected files were fetched. The cleanup (rm -rf /tmp/monorepo-clone) was performed as expected.