Is a5huynh/universal-checkout safe?

https://github.com/openclaw/skills/tree/main/skills/a5huynh/universal-checkout

82
SAFE

This is a documentation-only skill that wraps the Zinc e-commerce ordering API with no executable code, no canary file access, and clean clone behavior. The primary risk is inherent to its purpose: it enables an AI agent to spend real money by placing orders, with safety guardrails that exist only as prompt-level instructions. The autonomous cron job scheduling pattern for order status polling adds a secondary concern about persistent self-directed agent behavior.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

MEDIUM Financial operations enable real money spending -25

The skill's core functionality is placing orders that spend real money through the Zinc API. While the skill includes safety instructions ('Always confirm with the user before placing an order'), these are soft prompt-level guardrails that rely on the agent's compliance and could be overridden by prompt injection from other contexts or skills.

MEDIUM Autonomous cron job scheduling pattern -12

The skill instructs the agent to schedule autonomous follow-up tasks using cron jobs in isolated sessions. While this is for the legitimate purpose of polling order status, it teaches the agent a pattern of creating self-directed autonomous actions that run without direct user initiation. An attacker modifying this skill could abuse this pattern to schedule malicious autonomous actions.

LOW PII transmitted to third-party API -10

Shipping addresses including full name, street address, city, state, postal code, and phone number are sent to the Zinc API (api.zinc.com), a third-party commercial service. While this is inherent to the skill's ordering functionality, users should understand their personal data flows through this intermediary.

LOW API key sent to external service -5

The ZINC_API_KEY environment variable is read and sent as a Bearer token to api.zinc.com. This is the expected authentication mechanism for the Zinc API but represents credential transmission to a third party.

LOW External URL references in skill instructions -6

The skill instructs the agent to make HTTP requests to api.zinc.com endpoints. While these are legitimate API endpoints for the stated service, the skill establishes a pattern of the agent making outbound requests to external services based on prompt instructions.

INFO Incongruent dependency in lock.json -5

The .clawhub/lock.json file references 'academic-research-hub' as an installed skill, which is thematically unrelated to an e-commerce checkout skill. This is likely a workspace artifact from the monorepo structure rather than a security concern.

INFO AWS and Cloudflare IPs contacted during installation -8

Outbound connections to 54.211.197.216 (AWS) and 104.16.2.34 (Cloudflare) were observed during the installation window. These are likely CDN or package registry traffic from system-level services rather than skill-initiated connections.

INFO No executable code — documentation-only skill 0

The skill consists entirely of markdown documentation and JSON metadata with no executable code, scripts, hooks, or submodules. This is the safest possible skill structure.