Is 1kalin/afrexai-board-reporting safe?
https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-board-reporting
This skill is a benign knowledge/template resource providing board reporting frameworks, SaaS benchmarks, and meeting prep checklists. It contains no executable code, no data access instructions, and triggered no suspicious behavior during installation. The only notable concern is embedded marketing content for paid AfrexAI products that becomes part of the agent's system prompt context.
Category Scores
Findings (4)
LOW Embedded promotional URLs and pricing in system prompt content -10 ▶
SKILL.md ends with three promotional links to afrexai-cto.github.io pages (context packs, revenue calculator, agent setup wizard) along with bundle pricing ($47-$247). This marketing content becomes part of the agent's system prompt context and could subtly influence the agent to reference or promote these paid products when generating board reports.
INFO Ambiguous 'pull your data' instruction in usage section -5 ▶
The usage section states the agent 'will pull your data and structure it using this framework.' While contextually this refers to user-provided business data, the phrasing is vague and could theoretically be interpreted by an LLM as an instruction to proactively access local files to find business metrics.
INFO Cross-skill reference in lock.json -2 ▶
The .clawhub/lock.json file references 'academic-research-hub' as an installed skill dependency. This appears to be packaging metadata rather than an active dependency or supply chain risk, but indicates the skill packaging may carry state from the author's environment.
INFO Advertising-as-a-skill pattern -5 ▶
The skill provides legitimate board reporting templates but doubles as a marketing funnel for paid AfrexAI products. While not a security threat, this pattern normalizes embedding commercial content in agent system prompts, which could erode user trust in the skill ecosystem.