Is 1kalin/afrexai-deal-desk safe?

https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-deal-desk

94
SAFE

This skill is a pure markdown knowledge base providing a B2B deal desk framework with discount guardrails, approval workflows, and margin analysis templates. It contains no executable code, no data access patterns, and no prompt injection techniques. The only notable concern is embedded advertising for paid AfrexAI products ($47-$247) in the Resources section, which uses the skill platform as a commercial promotion channel.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (3)

LOW Embedded commercial URLs in Resources section -12

The skill includes three external URLs pointing to afrexai-cto.github.io pages that promote paid products (AI Revenue Leak Calculator, Industry Context Packs at $47 each, Agent Setup Wizard). These are passive markdown links, not active fetch directives, but they use the skill as an advertising channel for commercial products.

LOW Skill used as commercial advertising vehicle -22

The skill provides genuine deal desk framework content but its Resources section and README function as advertising for AfrexAI paid products. The pricing details ($47/pack, $97-$247 bundles) embedded in the SKILL.md will be injected into the agent's context, potentially influencing the agent to recommend these paid products when users ask about deal management.

INFO Lock file references unrelated skill 0

The .clawhub/lock.json references 'academic-research-hub' skill version 0.1.0, which appears unrelated to this deal desk skill. This is likely a development artifact and poses no security risk, but indicates the author may have copied a template or has multiple skills in development.