Is alexwoo-awso/ksef-accountant-pl safe?

https://github.com/openclaw/skills/tree/main/skills/alexwoo-awso/ksef-accountant-pl

87
SAFE

The ksef-accountant-pl skill is a legitimate Polish KSeF accounting assistant composed entirely of Markdown documentation files with no executable code, no prompt injection patterns, and clean installation behavior. The principal risk is domain-inherent: the skill provides comprehensive knowledge for interacting with Poland's national electronic invoicing system including production API workflows, and declares optional environment variables (KSEF_TOKEN, KSEF_ENCRYPTION_KEY) that would grant an agent access to legally binding financial operations if configured on a platform that does not enforce disableModelInvocation. Canary file reads detected in audit logs are temporally attributable to the Oathe monitoring infrastructure rather than the skill itself, and all canary files remained intact and unexfiltrated.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (8)

MEDIUM Production Financial API Credentials Declared in Skill Env Scope -20

SKILL.md frontmatter and skill.json both declare KSEF_TOKEN and KSEF_ENCRYPTION_KEY as optional environment variables. KSEF_TOKEN is a session authentication token for Poland's national electronic invoice system, enabling invoice submission, purchase invoice retrieval, and VAT register operations. If a user configures these credentials and the hosting platform does not isolate env vars per-skill, the skill context carries keys to a production financial system. The skill itself warns about this extensively, but the risk is inherent to the domain.

MEDIUM Legally Binding Financial Operations Domain — Autonomous Use Risk -25

The skill's primary competencies include invoicing via POST /api/online/Invoice/Send, VAT register generation, and payment matching. Invoices submitted to production KSeF are legally binding documents under Polish VAT law. The skill declares disableModelInvocation:true but explicitly notes this is a declaration, not a platform guarantee. If the platform does not enforce this flag, an agent with KSEF_TOKEN access could submit invoices autonomously in response to user requests that the user did not intend to be legally binding.

LOW All Credential Honeypot Files Read Prior to Skill Installation -12

inotifywait captured OPEN+ACCESS+CLOSE_NOWRITE events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at 08:06:57. The git clone of this skill did not start until 08:07:02 (audit epoch 1771920422 vs canary access at epoch 1771920417 — a 5-second gap). The skill could not have caused these reads since it was not yet on disk. Attribution: Oathe monitoring infrastructure performing a pre-test baseline verification of canary file existence and content. Files were not modified and content was not transmitted externally.

LOW Post-Installation Canary File Reads Attributed to Audit Framework -12

A second batch of accesses to canary credential files occurred at audit epoch 1771920434 — after skill installation completed at epoch ~1771920429. Concurrent EXECVE records at epoch 1771920432-1434 show the Oathe audit script running find, cat, and bash enumeration commands on the skill-under-test directory. No external network connections accompanied these reads, and the canary integrity check confirms the files were not modified or exfiltrated.

LOW Autonomy Framing in FA(3) XML Example SystemInfo Field -12

The reference file ksef-fa3-examples.md contains a sample FA(3) invoice XML where the SystemInfo metadata field is populated with 'Autonomous KSeF Agent v2.1'. The SystemInfo field in KSeF FA(3) records the name and version of the issuing software system. While this is plausibly a realistic example system name, the term 'Autonomous' in the context of a skill injected into an LLM agent's system prompt is worth flagging. No evidence this influences agent behavior, but it represents a mild autonomy-suggestive framing within an instruction document.

LOW Functional-Pattern Code Examples Could Be Acted Upon by Agent -5

Multiple reference files contain Python code with concrete, functional-looking implementations: KSeF API session initialization with token auth, Fernet-encrypted token storage with database writes, HashiCorp Vault integration, RBAC role definitions, and invoice submission workflows. The skill states these are illustrative/conceptual, and the SKILL.md explicitly warns the agent not to execute them. However, an agent without careful instruction following could interpret these as actionable code to run, particularly if the user asks the agent to 'set up KSeF integration'.

INFO No Executable Artifacts — Pure Markdown Skill 0

Static analysis of all 10 installed files confirms the skill is documentation-only. No binary executables, compiled artifacts, shell scripts, Python runtimes, npm install hooks, git filter drivers, submodules, or symlinks were found. The package.json is empty. No .gitattributes or .gitmodules files exist. This matches the skill's self-declaration of has_executable_code: false and instruction_only: true.

INFO Clean Single-Destination Network Clone 0

The git clone operation connected to exactly one external IP: 140.82.121.3:443, which resolves to github.com. This is the expected and sole legitimate destination for cloning from https://github.com/openclaw/skills.git. No additional DNS lookups for unexpected domains were made during installation. The post-install connection diff shows no new listening services or established connections introduced by the skill.