Is 47vigen/developer-agent safe?

https://github.com/openclaw/skills/tree/main/skills/47vigen/developer-agent

88
SAFE

The developer-agent skill is a legitimate development workflow orchestration tool that provides structured stages for software development through Cursor Agent integration and git workflow management. While it passes user-provided content to external systems without apparent sanitization, no malicious code or data exfiltration attempts were detected during analysis.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 98/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 99/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (3)

MEDIUM User content passed to external systems without sanitization -15

The skill instructs to send user-provided links and attachments directly to Cursor Agent without apparent input validation or sanitization. This could potentially allow malicious users to inject content into the external system.

LOW Potential pass-through of malicious content -5

Instructions to present Cursor's output 'as-is' without modification could theoretically allow malicious content from the external system to pass through unfiltered.

LOW Coordination with external development tools -5

While the skill appears legitimate, it coordinates development workflows through external tools which could potentially be misused if provided malicious requirements, though this is more of a usage concern than a security flaw in the skill itself.