Is 1kalin/afrexai-data-governance safe?
https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-data-governance
This skill is a legitimate data governance assessment framework containing only Markdown and JSON files with no executable code, no data exfiltration vectors, and clean monitoring across all channels. The only notable concerns are embedded marketing links for paid products ($47 context packs) in the 'Next Steps' section, which turn the agent into a soft advertising channel. All canary files remained intact and no suspicious clone-time behavior was detected.
Category Scores
Findings (3)
LOW Embedded marketing URLs for paid products -12 ▶
The SKILL.md 'Next Steps' section contains three promotional links to afrexai-cto.github.io pages selling paid products ($47 context packs, AI revenue calculator, agent setup wizard). When the agent follows the skill's instructions, it will present these commercial links to users as recommendations, effectively acting as an advertising channel. The links are visible and clearly labeled, not hidden, but users may not expect a governance assessment tool to include upsell content.
INFO Anomalous dependency in lock.json -5 ▶
The .clawhub/lock.json file references a dependency on 'academic-research-hub' v0.1.0, which is thematically unrelated to data governance. This is likely a development artifact or copy-paste from a template, but is worth noting as it may indicate the skill was scaffolded from another project.
INFO Organizational security posture data in session context -5 ▶
By design, this skill guides the agent to gather detailed information about an organization's data governance posture across access control, compliance, retention policies, and AI governance. While this is the skill's intended purpose and the data stays within the conversation, users should be aware that sensitive organizational security assessment data will exist in their session history.