Is aisadevco/aisa-financial-data-api safe?

https://github.com/openclaw/skills/tree/main/skills/aisadevco/aisa-financial-data-api

89
SAFE

The aisa-financial-data-api skill is a straightforward financial data API wrapper with no prompt injection, no malicious code, and no evidence of credential harvesting — canary files were untouched throughout installation and post-install monitoring. The primary concerns are operational rather than adversarial: all financial queries are transmitted to a third-party operator (aisa.one) who can observe research intent, the skill ships an executable Python script with no bundled rate-limiting safeguards, and a pay-per-query cost model could generate unexpected API spend if an agent calls it in a loop. No indicators of compromise or malicious authorship were detected across filesystem, network, process, or canary monitoring.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

LOW Third-party query surveillance by API provider -12

All financial data requests — including ticker lookups, SEC filing queries, insider trade searches, and crypto portfolio checks — are transmitted to api.aisa.one. The operator of this service can observe, log, and potentially monetize the agent's financial research queries. Users with sensitive investment strategies should be aware that query intent is disclosed.

LOW Python script with external network dependency shipped in skill -10

The skill bundles an executable Python script that is intended to be invoked by the agent. While the script is clean and uses only stdlib, it expands the executable attack surface. If api.aisa.one is compromised or hijacked, the service could return malformed responses that an agent naively processes.

LOW Unbounded per-query cost model with no rate-limit guidance -15

The skill documentation lists per-call costs ($0.001-$0.002) but provides no guidance on rate limits, budget caps, or loop-prevention. An agent processing bulk requests or iterating over a portfolio could silently drain API credits. The API key is consumed on every invocation.

INFO Unparameterized {baseDir} template in agent-facing instructions -5

The Python client examples in SKILL.md use the literal string {baseDir} as a placeholder for the skill installation directory. If the host platform does not substitute this value before injecting SKILL.md into the agent context, the agent may attempt to resolve or expand the path in unexpected ways.

INFO Sparse checkout of monorepo exposes full shallow pack during install -4

Installation clones the entire openclaw/skills monorepo as a shallow pack before narrowing to the target subpath via git sparse-checkout. The full shallow object pack is transmitted over the network before reduction. This is inefficient but not dangerous; it does mean network observers see a larger transfer than expected for a single skill.