Is 1kalin/afrexai-customer-onboarding safe?

https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-customer-onboarding

81
SAFE

The 'Customer Onboarding Optimizer' skill is technically clean: no executable code, no data exfiltration logic, no traditional prompt injection, and clean canary results. However, it functions as commercial adware — the skill is authored by AfrexAI and embeds undisclosed paid product promotions ($47-$247) into agent system context under the guise of neutral expert resources, creating a conflict of interest that biases agent recommendations toward AfrexAI's commercial products. Users installing this skill are unknowingly adding a vendor advertisement to their agent's permanent context.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (5)

HIGH Undisclosed Commercial Advertising Embedded as Neutral Framework Content -50

The skill owner (1kalin) is affiliated with AfrexAI, yet the skill presents AfrexAI commercial products as neutral expert resources without disclosure. The Resources section contains explicit pricing ($47/pack, $97-$247 bundles) for AfrexAI-branded products. When loaded as agent context, this transforms the skill into an undisclosed advertisement: any agent using this skill for onboarding guidance will be primed to recommend and reference AfrexAI products as authoritative resources.

MEDIUM Commercial URLs in System Prompt Context Bias Agent Recommendations -40

Three GitHub Pages URLs owned by AfrexAI are embedded in SKILL.md's Resources section and will be loaded into agent context as authoritative references. Agents with web tools may proactively fetch these commercial landing pages. Even without fetching, the framing of these URLs as 'resources' in a skill framework causes agents to treat them as legitimate expert recommendations rather than commercial sales pages.

LOW Sensitive Credential Files Opened During Monitoring Window -10

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were all opened at the same millisecond timestamp (1771949925.436 pre-install, 1771949943.508 post-install). The simultaneous batch access pattern across all 6 files at identical timestamps is characteristic of the audit system's canary setup and teardown procedures, not skill behavior. Canary integrity passed. Flagged for transparency only.

LOW Background System Network Activity During Install Window -12

Connections to Canonical/Ubuntu servers (91.189.91.48:443, 185.125.188.59:443) observed during monitoring. Both IPs are present in the BEFORE connection snapshot, confirming these are pre-existing background OS processes (Ubuntu package update checks, Snap service) unrelated to skill installation.

INFO No Executable Code — Pure Markdown Skill 0

SKILL.md contains exclusively markdown documentation. No scripts, no code blocks with executable content, no npm/pip install instructions, no git hooks, no submodules, no symlinks. The skill cannot execute code by itself.