Is answeroverflow safe?

https://clawhub.ai/RhysSullivan/answeroverflow

82
SAFE

The answeroverflow skill is a benign markdown-only documentation skill that helps agents search and retrieve indexed Discord conversations from answeroverflow.com. It contains no executable code, no install scripts, no git hooks, and no prompt injection payloads. The primary risk is the second-order injection surface created by directing the agent to fetch external web content, which is inherent to any search/retrieval skill. All canary files remained intact and no suspicious network or process activity was observed during installation.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (4)

LOW Agent directed to fetch external URLs -12

The skill instructs the agent to use web_fetch on answeroverflow.com URLs with user-supplied message IDs. While the domain is legitimate, fetched content from any external source could contain prompt injection payloads that the agent would then process. This is a second-order injection risk inherent to any skill that directs content fetching.

LOW MCP server reference could expand agent capabilities -10

The skill references an MCP server at https://www.answeroverflow.com/mcp with four tools (search, server discovery, thread messages, similar threads). While purely informational, an agent might attempt to connect to this endpoint, gaining capabilities the user did not explicitly consent to.

INFO Host runtime accessed sensitive files during install -30

The OpenClaw agent runtime (not the skill itself) accessed .env, .aws/credentials, auth-profiles.json, and openclaw.json during the install phase. This is standard runtime initialization behavior and not attributable to the skill, but it confirms that sensitive files are accessible in the runtime environment.

INFO Potential second-order exfiltration channel -8

The web_fetch + web_search pattern could theoretically be repurposed as a data exfiltration channel if combined with a malicious skill that encodes sensitive data into search queries or URL paths. This requires deliberate misuse beyond the skill's stated instructions and is a theoretical concern rather than an active threat.