Is 1kalin/afrexai-fitness-engine safe?

https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-fitness-engine

97
SAFE

This is a benign, pure-knowledge fitness skill containing extensive reference data for training programming, nutrition, recovery, and body composition tracking. No executable code, no external data transmission, no prompt injection vectors, and no canary file tampering were detected. The skill poses negligible security risk.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

INFO Large SKILL.md consumes significant context window -4

The SKILL.md is approximately 25KB of dense markdown content covering 16 sections of fitness knowledge. While this is all legitimate content, its size means it will consume a substantial portion of the agent's context window when loaded, potentially reducing capacity for other system instructions or user context.

INFO Lock file references unrelated skill -5

The .clawhub/lock.json file references 'academic-research-hub' version 0.1.0, which has no apparent relationship to a fitness skill. This appears to be stale metadata from the author's local environment that was accidentally committed. It has no functional impact but suggests slightly careless packaging.

INFO Marketing and upsell content in README -10

The README.md promotes a paid 'AfrexAI SaaS Context Pack' ($47) and links to other AfrexAI skills on clawhub.com and a GitHub Pages site. This is standard open-source marketing but the user should be aware that the skill author has commercial interests.