Is adamandjarvis/banana-farmer safe?

https://github.com/openclaw/skills/tree/main/skills/adamandjarvis/banana-farmer

91
SAFE

The banana-farmer skill is a legitimate financial momentum data client for the bananafarmer.app commercial API. Source code is clean Python stdlib with no obfuscation, no install-time execution, no prompt injection patterns, and no access to sensitive system files. The primary residual concern is that ticker-level portfolio queries are transmitted to a third-party commercial service by design, revealing which assets a user holds — an inherent privacy tradeoff disclosed in the skill documentation. All canary files remained intact throughout the monitoring window.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Portfolio ticker composition sent to bananafarmer.app -10

When a user invokes the portfolio feature, bf-portfolio.py issues one API call per holding ticker to bananafarmer.app. While financial figures (shares, cost basis, P&L) are computed locally and never transmitted, the set of tickers queried reveals the user's holdings to the third-party service. This is the documented and expected behavior of the skill.

LOW Canary credential files accessed during monitoring window (audit framework, not skill) -10

Inotify and auditd logged reads of .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Timing analysis confirms these are audit infrastructure reads (baseline setup at T+0s, verification at T+17s), not skill-initiated. No network exfiltration observed. Integrity confirmed.

INFO Third-party API logs all financial queries -7

bananafarmer.app receives ticker-level query logs that could reveal portfolio composition over time. The service has documented privacy and terms policies. Risk is proportionate to trust in the commercial operator.

INFO API provisioning curl command in SKILL.md -3

The Quick Start section documents a curl command for trial key generation. This is user-facing documentation, not an agent directive, and requires deliberate user action.

INFO Seven Python scripts — stdlib-only, fully auditable -5

Scripts use only Python standard library. No obfuscation, no exec/eval, no subprocess calls, no third-party packages. Code is straightforward and readable.