Is code-mentor safe?

https://clawhub.ai/samuelkahessay/code-mentor

68
CAUTION

Code-mentor is a legitimate educational skill with comprehensive programming tutoring capabilities. However, it raises moderate concerns: it includes Python scripts intended for execution against user code whose full contents cannot be verified, extensively overrides agent behavior with 8 distinct modes and mandatory progress tracking, and creates persistent user profiling data. No active malicious behavior was detected during installation — no network connections, no canary file tampering, and no filesystem modifications outside expected paths.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

MEDIUM Extensive persona and behavioral override -20

The SKILL.md defines 8 teaching modes with detailed behavioral rules that fundamentally alter how the agent responds to user input. It instructs the agent to adopt a 'programming tutor' persona, withhold direct answers in debugging mode, and follow specific questioning frameworks. While pedagogically motivated, this represents significant behavioral manipulation of the agent.

MEDIUM Mandatory persistent state tracking -15

The skill marks progress tracking as 'CRITICAL' and uses imperative language ('You MUST update the learning log after each session'). This creates a persistent behavioral mandate that survives across sessions, forcing the agent to write to files on every interaction.

MEDIUM User input reinterpretation via Quick Commands -10

The Quick Commands section maps natural language patterns to specific behavioral modes, effectively hijacking how the agent interprets certain user inputs. Phrases like 'Help me debug this' or 'Review my code' trigger specific behavioral frameworks rather than natural agent responses.

HIGH Python scripts intended for execution against user code -35

The skill includes 3 Python scripts (analyze_code.py, run_tests.py, complexity_analyzer.py) and encourages the agent to run them. While described as 'optional helpers', the actual script contents are not fully visible for inspection. Scripts like run_tests.py and analyze_code.py that process user code could contain malicious payloads that execute during 'analysis'.

LOW Python dependency installation via requirements.txt -20

The skill includes a requirements.txt with 3 packages (pylint, pytest, colorama). While these are legitimate, well-known packages, pip install is a code execution vector and the version constraints (>=) allow future vulnerable versions.

LOW Persistent user profiling via learning log -20

The skill creates and maintains a detailed profile of the user including their experience level, topics studied, problems solved, areas of weakness, and learning goals. While pedagogically useful, this creates a persistent data store that could be accessed by other skills or attackers.

INFO Sensitive file reads during installation -15

Filesystem monitoring detected reads of .env, .aws/credentials, .profile, .bashrc, and /etc/passwd during the clone/install process. These appear to originate from the OpenClaw platform infrastructure rather than the skill itself, but warrant noting.

INFO Combination risk with other skills -50

The skill's Python scripts and persistent file writing create infrastructure that could be weaponized by other skills. A malicious companion skill could modify the Python scripts to include exfiltration code, or read the learning log to profile the user for social engineering.