Is 1kalin/afrexai-soc2-compliance safe?

https://github.com/openclaw/skills/tree/main/skills/1kalin/afrexai-soc2-compliance

95
SAFE

This skill is a purely informational SOC 2 compliance guide with no executable code, no data exfiltration vectors, and clean clone behavior. All canary files remained intact. The only notable concern is embedded commercial promotion for paid AfrexAI products ($47-$247), which could subtly bias agent recommendations toward specific paid offerings during compliance discussions.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Commercial promotion embedded in skill content -10

The skill includes a 'Get the Full Implementation Package' section with three promotional links to paid AfrexAI products (context packs at $47-$247). When injected into an agent's system prompt, this content may cause the agent to recommend these specific paid products to users as if providing neutral compliance guidance. This is promotional content masquerading as part of a compliance framework.

INFO External URLs present but not weaponized 0

Three external URLs point to afrexai-cto.github.io subpages. These are presented as plain markdown links, not as instructions for the agent to fetch, execute, or process content from these URLs. No fetch-and-inject pattern detected.

INFO Large context window footprint for informational content -5

The SKILL.md is a lengthy document containing detailed SOC 2 compliance tables, checklists, timelines, and cost frameworks. While comprehensive, this consumes substantial context window space and could reduce the agent's capacity for user-specific work. The content is static reference material that might be better served as a fetchable resource rather than an always-injected prompt.

LOW Potential commercial bias in agent recommendations -10

Because the promotional content is part of the system prompt, the agent may naturally incorporate AfrexAI product recommendations when helping users with SOC 2 compliance topics. Users may not realize these recommendations stem from embedded advertising rather than objective analysis.