Is hzl safe?
HZL is a documentation-only skill that teaches agents to use an external task-tracking CLI. It contains no executable code, no git hooks, no submodules, and no symlinks. The primary concerns are: (1) the clone process accessed ~/.aws/credentials and ~/.env during installation (likely attributable to the OpenClaw runtime, not the skill itself, and no data was exfiltrated), (2) aggressive behavioral steering that makes the external HZL binary the default for all task tracking, and (3) supply-chain risk from depending on an external binary installed via Homebrew/npm.
Category Scores
Findings (8)
MEDIUM Clone process accessed ~/.aws/credentials and ~/.env -18 ▶
During the skill installation process, filesystem monitoring detected the clone process opening and reading ~/.aws/credentials and ~/.env. While no network connections were made (so no data was exfiltrated during install), accessing these sensitive credential files is unexpected for a task-tracking skill installation. This may be attributable to the OpenClaw platform runtime rather than the skill itself, but it warrants attention.
MEDIUM Aggressive behavioral steering overrides default agent tooling -15 ▶
The skill uses strong directive language to make HZL the default task-tracking mechanism, explicitly disparaging built-in alternatives ('OpenClaw has NO native task tracking tools'). While this is the skill's stated purpose, the aggressive framing could cause an agent to use HZL even when simpler built-in tools would suffice, increasing the attack surface.
MEDIUM External tool dependency creates supply-chain risk -15 ▶
The skill creates a runtime dependency on the 'hzl' binary (installed via Homebrew or npm). All task data, project context, checkpoints, and agent coordination flows through this external tool. A supply-chain compromise of the hzl package would give an attacker access to detailed records of all agent work. The 'cloud-synced for backup' option further extends the trust boundary.
LOW Web dashboard defaults to network-accessible binding -10 ▶
The 'hzl serve' command defaults to binding on all interfaces (port 3456), making the task database accessible to anyone on the local network. The systemd service setup example does not restrict to localhost. Task data may contain sensitive project details.
LOW Destructive commands with --yes bypass documented -10 ▶
The skill documents 'hzl init --force --yes' which deletes all data without confirmation. While the skill explicitly warns agents not to use these commands without user consent, documenting the bypass flag increases the risk of an agent being socially engineered into running it.
LOW External install package references in metadata -8 ▶
Metadata references Homebrew package 'hzl' and npm package 'hzl-cli' as install sources. These are external packages outside the skill author's direct control in the skill content itself.
INFO No executable code present in skill repository 0 ▶
The skill contains only documentation (SKILL.md) and metadata files (.json). No scripts, hooks, submodules, or symlinks are present. The package.json is empty.
INFO All honeypot files intact 0 ▶
No canary files were accessed or modified during skill installation.