Is adhishthite/maps-osrm safe?

https://github.com/openclaw/skills/tree/main/skills/adhishthite/maps-osrm

92
SAFE

The adhishthite/maps-osrm skill is a straightforward geocoding and routing wrapper over public OSM/OSRM APIs. Its source code contains no prompt injection, no credential harvesting, no install hooks, and no obfuscated execution paths. The credential file reads visible in monitoring logs are temporally and contextually attributable to the audit harness canary system, not the skill — all canary integrity checks passed, and the skill files contain no references to sensitive paths. The only substantive consideration is that user location queries are transmitted to third-party public API servers, which is the skill's documented and required function.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

LOW User location data transmitted to third-party public APIs -10

The skill sends place-name queries and geographic coordinates to Nominatim (OpenStreetMap) and OSRM's public demo server. While this is the skill's stated and required functionality, it means user location intent is visible to those servers and subject to their retention policies.

INFO Credential file reads observed — attributable to audit framework -5

inotify and auditd logs show reads of /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud ADC. These reads occur at 1771940133 (6 seconds before the git clone at 1771940139) and at 1771940156 (post-install canary verification). The skill source files contain zero references to any of these paths, confirming this activity originates from the audit harness creating and verifying canary files, not from the skill.

INFO Inline Python interpreter invoked by bash scripts -10

Both scripts use python3 -c '...' to perform URL encoding and HTTP requests. The Python code is fully inline and auditable, with no dynamic eval, exec, or remote import. Input is passed via sys.argv (not shell interpolation), preventing injection.

INFO Normal GitHub HTTPS clone; no unexpected network activity -12

The only external network connection during install was to GitHub (140.82.121.4:443) for the git clone. No other unexpected outbound connections were made. Post-install connection state is identical to pre-install state.