Is abdullah4ai/visual-prompt-engine safe?

https://github.com/openclaw/skills/tree/main/skills/abdullah4ai/visual-prompt-engine

88
SAFE

The visual-prompt-engine skill is a legitimate creative utility that generates image prompts by scraping trending design references from Dribbble and transforming them into structured style cards. No prompt injection directives, credential access, or data exfiltration by the skill were detected, and all canary files remained intact. The primary residual risk is a second-order prompt injection surface: malicious content embedded in scraped Dribbble shots could potentially reach the agent's context via style card descriptions, and the fetch_html() function accepts an arbitrary URL parameter that could be redirected if an agent is explicitly instructed to do so.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 86/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

LOW fetch_html() accepts arbitrary URL parameter -8

The scrape_dribbble.py script's fetch_html() function accepts a url parameter with a Dribbble default, but if an agent is instructed to invoke the script with a non-Dribbble URL it could be used to make HTTP GET requests to arbitrary endpoints. This requires explicit agent instruction and is not self-activating.

LOW External web content ingested into agent context -10

The skill's architecture routes external Dribbble content (shot titles, descriptions) through style cards and into the agent's reasoning context. A malicious or compromised Dribbble shot with adversarial text in its title or description field could attempt to inject instructions into the agent at prompt generation time.

LOW Nested AI analysis prompt in style_card.py -14

The ANALYSIS_PROMPT string in style_card.py is injected into agent context when the 'prompt' subcommand is run. If a style card's image_url or source_url pointed to attacker-controlled content, the AI analysis step could relay adversarial instructions embedded in that content back to the agent.

LOW Post-install openclaw-gatewa establishes external connections -10

After install, the openclaw-gatewa process (part of the OpenClaw agent infrastructure, not the skill) establishes HTTPS connections to 54.211.197.216:443 (AWS) and 104.16.8.34:443 (Cloudflare). These are attributable to the OpenClaw platform, not the skill itself, but represent expanded network surface post-install.

INFO Outbound network requests to Dribbble are expected and documented 0

scrape_dribbble.py makes outbound requests to dribbble.com RSS feeds and optionally the Dribbble HTML interface. This is the core stated functionality of the skill. No POST requests or data uploads were observed.

INFO Canary file reads attributed to audit monitoring system, not skill 0

Canary file accesses (/.env, /.ssh/id_rsa, /.aws/credentials, etc.) appear at timestamps 1771733446.300 (system initialization) and 1771733465.971 (final integrity check), both outside the skill execution window. All six canary files were confirmed intact.