Is agent-builder safe?

https://clawhub.ai/plgonzalezrx8/agent-builder

85
SAFE

The agent-builder skill is a documentation-only skill that guides users through creating OpenClaw agent workspace configurations. It contains no executable code, makes no network requests, and includes responsible safety defaults in its templates. The only notable consideration is that it generates files which become system-level agent instructions, making it a trust-sensitive skill that users should review before deploying generated configs.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

LOW Agent config generation is inherently prompt-adjacent -12

This skill generates files (SOUL.md, AGENTS.md, IDENTITY.md) that will be injected into a future agent's system prompt. While the current templates are benign and include good safety defaults, the skill's core purpose means it operates in a sensitive trust boundary. Users should review generated files before deploying them as agent configurations.

LOW Autopilot autonomy level could reduce safety friction -10

The skill offers an 'Autopilot (broad autonomy; higher risk)' option. If selected, the generated agent configuration would have fewer ask-before-acting guardrails. The skill correctly labels this as higher risk, but the option's existence means a careless user could create an overly autonomous agent.

INFO OpenClaw runtime reads sensitive paths during install -20

During installation, the OpenClaw runtime (not the skill itself) read /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/openclaw.json. This is standard framework behavior for loading configuration, not skill-initiated. No data was transmitted externally.

INFO No exfiltration vectors detected -5

The skill contains only markdown documentation and JSON metadata. No external URLs, no data encoding patterns, no file access outside the skill directory. All references point to local files within the skill's own references/ subdirectory.

INFO No executable code present -5

The skill is pure documentation — markdown files and JSON metadata. No package.json, no scripts, no hooks, no submodules, no symlinks. The only code-adjacent content is markdown template snippets intended to be copied into agent workspace files.

INFO Good safety defaults in generated templates -28

The skill's templates include explicit safety guardrails: ask-before-destructive actions, ask-before-outbound messages, stop-on-CLI-error, prefer trash over rm, and group chat etiquette. This represents responsible agent-builder design.