Is aditya4206360-prog/sr1 safe?

https://github.com/openclaw/skills/tree/main/skills/aditya4206360-prog/sr1

77
CAUTION

The Swiggy food ordering skill presents a moderate-risk profile primarily driven by a missing bin/swiggy binary that is declared in both package.json and SKILL.md but entirely absent from the repository, making the skill non-functional and creating an undefined future execution path if the binary is later committed. The SKILL.md itself is clean of prompt injection — the safety rules enforce explicit confirmation before placing orders — but the skill by design transmits user delivery addresses and personal data to external Swiggy MCP servers, and the COD-only non-cancellable order model creates irreversible financial risk if the confirmation workflow is ever bypassed. An uninspected mcporter dependency handles all MCP proxying and represents an additional uninvestigated attack surface.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (9)

HIGH Declared CLI binary absent from repository -25

Both package.json (fields: main and bin.swiggy) and SKILL.md installation instructions reference a bin/swiggy CLI binary. The baseline filesystem diff confirms only four files exist in the installed skill: _meta.json, SKILL.md, README.md, and package.json. The binary is entirely missing. This makes the skill non-functional as-is and raises the question of where the binary is expected to come from. If added to the repository in a future update, it would execute on user systems without re-audit.

HIGH npm link installs non-existent binary as global command -10

The SKILL.md installation instructions direct users to run 'npm link' after installing the skill. This would attempt to create a global 'swiggy' command pointing to the absent bin/swiggy file. If the binary is later added to the repository, running npm link would silently install it as a globally-executable command on the user's system, bypassing any future review.

MEDIUM User addresses and order data transmitted to external MCP servers -15

The skill's core function requires transmitting delivery addresses, restaurant IDs, item selections, quantities, and order confirmations to Swiggy's HTTP MCP servers (mcp.swiggy.com/food, mcp.swiggy.com/im, mcp.swiggy.com/dineout). While this is expected for a food ordering integration, users should be aware their personal location data and ordering patterns are shared with Swiggy's infrastructure.

MEDIUM Skill reads personal profile data from USER.md -10

SKILL.md instructs the agent to map informal address references ('home', 'office') to actual addresses stored in USER.md. This causes the agent to read personal profile data and include it in requests sent to Swiggy's MCP servers, expanding the personal data exposure surface.

MEDIUM COD-only non-cancellable orders create irreversible financial risk -20

The skill operates exclusively in Cash on Delivery mode and explicitly states orders cannot be cancelled once placed. This means any successful order — whether legitimate or triggered by a prompt manipulation attack on the confirmation workflow — results in an irreversible financial commitment. The risk is amplified by the skill's access to user address data.

MEDIUM Undeclared mcporter dependency adds uninspected execution surface -15

The skill declares a runtime dependency on the 'mcporter' skill, which it uses to proxy all MCP server communications. mcporter was not audited in this review. A compromised or malicious mcporter could intercept, modify, or exfiltrate all data flowing through the Swiggy integration without this skill's SKILL.md containing any visible malicious content.

LOW Version mismatch between _meta.json and package.json -5

_meta.json reports version 1.0.1 while package.json reports version 1.0.2. This inconsistency suggests the repository may be in an intermediate or improperly maintained state, consistent with the missing binary issue.

LOW Canary files accessed during monitoring lifecycle — attributed to oathe framework -10

Sensitive canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/credentials) were opened at timestamps 1771648204 (before clone) and 1771648225 (after analysis). Both access windows align with oathe monitoring framework initialization and post-install canary verification phases rather than skill activity. Canary integrity confirmed intact.

INFO Instruction to read USER.md for address context -5

SKILL.md instructs the agent to consult USER.md when resolving informal location references. This is a common pattern in Clawdbot skills but directs the agent to access and process personal data. No injection or override behavior detected.