Is 1kalin/afrexai-ai-readiness safe?
https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-ai-readiness
This skill is a legitimate AI readiness assessment framework containing structured scoring rubrics, budget tables, and a 90-day action plan template. It poses no direct security risk — there is no executable code, no data exfiltration mechanism, no prompt injection, and all monitoring signals (network, filesystem, canary files) are clean. The only notable concern is embedded commercial promotion linking to external GitHub Pages URLs that could theoretically be modified post-audit.
Category Scores
Findings (3)
LOW Embedded commercial URLs in agent context -15 ▶
The SKILL.md contains three promotional URLs to afrexai-cto.github.io selling 'context packs' ($47), a calculator, and an agent setup wizard, plus bundle pricing ($97-$247). When this skill is active, the agent will have these URLs in its system prompt and may recommend them to users as part of the assessment output. While not a security injection, this turns the agent into an advertising channel for a commercial product.
INFO GitHub Pages URLs could be modified post-audit -5 ▶
The three external URLs point to GitHub Pages (afrexai-cto.github.io). While currently appearing to be static promotional pages, the content at these URLs is controlled by the skill author and could be changed at any time to serve phishing pages, malicious downloads, or social engineering content. The skill itself cannot force the agent to fetch these URLs, but a user or agent may follow them.
INFO Skill is purely advisory markdown with no tool interactions 0 ▶
The skill contains only a structured assessment framework with scoring rubrics, checklists, budget tables, and action plan templates. It does not instruct the agent to use any tools, access files, run commands, or perform network operations. This is a text-only consulting methodology.