Is 0xjordansg-yolo/openclaw-aisa-us-stock-analyst safe?

https://github.com/openclaw/skills/tree/main/skills/0xjordansg-yolo/openclaw-aisa-us-stock-analyst

83
SAFE

This skill is a legitimate stock analysis tool that wraps the AIsa unified API platform. It contains no prompt injection, no credential theft, no malicious code execution, and passed all canary/clone behavior checks cleanly. The primary security consideration is that all user financial queries and analysis data flow through the third-party service api.aisa.one, including an LLM gateway that forwards constructed prompts to external model providers.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (5)

MEDIUM All user data routed through third-party API -30

Every API call (financial data, news, social sentiment, LLM analysis) is routed through api.aisa.one. The user's financial queries, ticker interests, and analysis context are sent to this external service. The LLM gateway endpoint additionally proxies constructed prompts containing aggregated data to external model providers.

LOW Duplicated SKILL.md content doubles context consumption -10

The SKILL.md file contains the complete frontmatter and body content duplicated end-to-end (two identical copies of the frontmatter block and all documentation). This doubles context window consumption (~800 lines total) which could reduce space available for other instructions or user context. Likely a packaging bug rather than intentional attack.

LOW Executable Python scripts with external dependency -15

The skill includes multiple executable Python scripts and a requirements.txt requiring httpx>=0.24.0. While the code is clean and well-structured (standard async HTTP client pattern), it does expand the execution surface. The code contains no obfuscation, no dynamic eval, and no filesystem operations beyond writing output files.

INFO LLM gateway creates secondary data exposure channel -10

The /v1/chat/completions endpoint acts as an LLM proxy — the agent constructs prompts from gathered data and sends them through aisa.one to external LLM providers (GPT-4, Claude, Gemini, etc.). This means financial data gathered by the skill gets forwarded to yet another third party beyond aisa.one itself.

INFO Clean clone with no unexpected activity -5

The skill installation produced only expected network traffic (GitHub for git clone, Ubuntu system services) and no unexpected process execution. Filesystem diff shows only standard VM system activity.