Is aisapay/aisa-financial-data safe?

https://github.com/openclaw/skills/tree/main/skills/aisapay/aisa-financial-data

87
SAFE

The AIsaFinancialData skill is a straightforward commercial API integration providing stock and cryptocurrency market data via the aisa.one service. No prompt injection, hidden instructions, malicious code patterns, or canary exfiltration were detected; the Python client uses only the standard library and communicates exclusively with the declared API endpoint. The primary risk is inherent to any paid API integration: the user's AISA_API_KEY is transmitted to a third-party service and autonomous agent usage could accumulate API charges without per-call confirmation.

Category Scores

Prompt Injection 91/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW AISA_API_KEY transmitted to third-party commercial service -12

The skill instructs the agent to set AISA_API_KEY and all API calls in market_client.py transmit this bearer token to api.aisa.one. This is inherent to the skill's design but means the user's paid API credentials are handled by the agent on behalf of a third-party service. If the agent is compromised or the API key is logged elsewhere, credit abuse is possible.

INFO Canary credential files accessed during audit — attributed to audit framework -5

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at two timestamps. Both timestamps align with the oathe audit system's pre-install baseline recording and post-install verification phases, not with any skill code execution. Canary integrity check confirms all files are intact.

INFO openclaw-gatewa process holds external connections in post-install snapshot -8

The AFTER connection diff shows a process named openclaw-gatewa (pid=1085) with established HTTPS connections to AWS EC2 IPs and a Cloudflare IP, plus local listeners on 127.0.0.1:18790 and 127.0.0.1:18793. This process is not spawned by the skill; its PID and the pre-existence of /home/oc-exec/.openclaw-executor/gateway.pid in the baseline confirm it is OpenClaw execution-environment infrastructure.

INFO {baseDir} template requires runtime path substitution -5

SKILL.md Python examples use the literal string {baseDir} as a placeholder for the skill's installation directory. This is standard practice for skills that bundle executable scripts; the platform is expected to substitute the real path. No injection risk if the platform correctly sanitizes the substituted path.

INFO Paid API credit consumption is an implicit user cost -5

The skill's pricing table shows per-call costs (e.g., $0.001 per stock price query). An agent operating autonomously with this skill and a valid API key could accumulate costs without explicit per-call user approval. This is a UX/billing risk, not a security vulnerability, but should be disclosed to users.