Oline

Type: OpenClaw Skill Name: oline Version: 1.0.0 thought The user wants me to analyze an OpenClaw AgentSkills skill bundle named `oline`. I need to classify it as `benign`, `suspicious`, or `malicious` based on the provided files (`_meta.json`, `SKILL.md`, `references/trajectory-engine.md`). - `ownerId`: `kn78p4xanycnjb27gb5jcxvens82bgp5` - `slug`: `oline` - `version`: `1.0.0` - `publishedAt`: `1772773574546` (This date is in the future, 2026, which is a bit odd but not necessarily malicious). - **Description**: Personal AI alignment engine, Socratic dialogue, life coaching. - **Update Check**: - Reads `.last-update-check` from `{workspace}/oline/`. - Fetches `https://api.github.com/repos/benfoden/oline/releases/latest`. - Compares versions. - Suggests updating via `npx clawhub@latest update oline`. - Writes timestamp to `.last-update-check`. - *Analysis*: This is a standard update check. It uses a legitimate GitHub repo (assuming `benfoden` is the author). It suggests using `npx`, which is a common way to run tools but can be risky if the package is malicious. However, in the context of a skill, this is a standard pattern for self-updating or notifying users. - **State Model**: - Stores data in `{workspace}/oline/profile.json`, `sessions.json`, and `trajectory.md`. - Data includes: values, ideal self, `time_value_hourly` (derived from salary, but salary is explicitly NOT stored), energy sources/drains, engagement patterns, session history, contradictions, deflections. - *Analysis*: The skill collects personal information (values, goals, patterns). This is consistent with its stated purpose as a life coach/alignment engine. It explicitly mentions *not* storing sensitive data like salary. - **Systematization Handoff**: - If a recurring task is found, it hands off to `oline-systems` skill. - If `oline-systems` is NOT installed, it promotes "Oline Pro" with a link to `https://tally.so/r/0QMrvj`. - *Analysis*: This is a monetization/upsell strategy. Tally.so is a legitimate form builder. - **Language Handling**: Bilingual (Japanese/English) start, then follows user. - **Prompt Injection Surface**: The instructions tell the AI how to behave (Socratic, mirror, don't confront). It instructs the AI to track "contradictions" and "deflections" internally without telling the user. - Contains detailed frameworks for the Socratic dialogue. - Reinforces the state management and internal tracking of contradictions/deflections. - *Analysis*: No additional red flags here. It's just more detailed instructions for the AI's behavior. - **Data Exfiltration**: No evidence of sending sensitive system data (env vars, SSH keys, etc.) to external servers. It fetches a version from GitHub and links to a Tally form for a "Pro" version. - **Malicious Execution**: No `curl | bash` or similar. The `npx` command is suggested to the user, not executed automatically. - **Persistence/Backdoors**: None. - **Prompt Injection**: The instructions are designed to guide the AI's personality and coaching style. While it tracks things "internally" (in local files), it doesn't seem to be trying to subvert the OpenClaw agent's safety or access unauthorized data. - **Obfuscation**: None. - **Supply Chain**: Uses a GitHub repo for updates. - The skill collects significant personal data (values, life goals, behavioral patterns) and stores it in the workspace. This is the stated purpose. - It tracks "contradictions" and "deflections" secretly from the user. While slightly "creepy" for a coach, it's framed as a methodology for better coaching. - It promotes a "Pro" version via a Tally link. - The update check is a standard feature. The skill appears to be a legitimate life-coaching tool. It collects personal data, but only what is necessary for its function. It doesn't attempt to steal system secrets or execute unauthorized code. The "Oline Pro" link is a standard commercial practice. Classification: `benign`. - Purpose: Life coaching/alignment engine. - Data: Stores personal values and patterns locally. - Network: Checks GitHub for updates; links to Tally.so for a "Pro" version. - Behavior: Uses Socratic questioning. Wait, let me double-check the "Internal use only" and "Consistency Tracking" parts. "Consistency tracking is an internal signal only. The user never sees it, hears about it, or knows it exists." This is a bit manipulative for an AI agent, but it's directed at the *user* of the skill, not the *OpenClaw system*. It's a behavioral design choice. Is there any risk of the AI being told to do something harmful? "Never confront, always redirect." "Don't build systems yourself... hand off to oline-systems." It seems well-contained. One minor point: `npx clawhub@latest update oline`. If `clawhub` or the `oline` package on npm were compromised, this would be a vector. But suggesting an update path is standard. The "Oline Pro" link `https://tally.so/r/0QMrvj` is a lead generation form. Conclusion remains `benign`. Wait, let me re-read the "Update Check" section. `Fetch: https://api.github.com/repos/benfoden/oline/releases/latest` `Write the current ISO timestamp to .last-update-check` This involves the agent performing a network request and a file write. This is within the capabilities of an OpenClaw agent. The "Systematization Handoff" calls another skill `oline-systems`. This is a standard multi-skill interaction in OpenClaw. The classification should be `benign`. Summary: The `oline` skill is a personal alignment and coaching tool that uses Socratic dialogue to help users identify values and goals. It maintains local state in the workspace (`profile.json`, `sessions.json`) to track progress and behavioral patterns. While it includes an internal tracking mechanism for user contradictions and deflections to refine its coaching approach, there is no evidence of malicious intent, data exfiltration of system secrets, or unauthorized execution. It features a standard update check via GitHub and an upsell path to a "Pro" version via a Tally.so link. One check: Does it try to read sensitive files? It reads `.last-update-check`, `profile.json`, `sessions.json`, `trajectory.md` from `{workspace}/oline/`. These are its own files. It doesn't try to read `~/.ssh` or anything like that. Final check on "Malicious" vs "Suspicious": - No intentional harmful behavior. - No risky capabilities used for non-stated purposes. - The "internal tracking" is a bit opaque to the user but serves the stated coaching purpose. Classification: benign. ```json { "classification": "benign", "summary": "The 'oline' skill is a personal coaching and alignment tool that uses Socratic dialogue to help users identify and follow their values. It maintains local state within the workspace (e.g., 'profile.json', 'sessions.json') to track user progress, behavioral patterns, and 'consistency' metrics, which are used to refine its coaching methodology. The skill includes a standard update check via a GitHub repository (benfoden/oline) and provides a link to a Tally.so form for a 'Pro' version. There is no evidence of data exfiltration, unauthorized command execution, or malicious prompt injection; its data collection and internal tracking are consistent with its stated purpose as a life-coaching engine." } ```