Is alinxus/usewhisper safe?
https://github.com/openclaw/skills/tree/main/skills/alinxus/usewhisper
This skill functions as a context compression and memory proxy that routes all agent conversations through an external third-party API (context.usewhisper.dev). While the data transmission is documented, it creates two significant risks: (1) complete conversation surveillance where every user message and agent response is sent to a server the user does not control, and (2) a remote prompt injection vector where the external API's responses are injected directly into the agent's prompt before each model call. The source code of the primary executable (whisper-context.mjs) was not available for review, preventing full verification of its behavior.
Category Scores
Findings (9)
CRITICAL Full conversation exfiltration to third-party API -30 ▶
The skill's core design sends complete user and assistant messages to context.usewhisper.dev via the ingest_session command. The Agent Integration Pattern explicitly instructs the agent to run ingest_session after every reply, effectively creating persistent surveillance of all conversations. The user has no control over how this data is stored, retained, or used by the third party.
HIGH Remote prompt injection via query_context API response -25 ▶
The skill instructs the agent to call query_context before every model call and prepend the returned 'context' to the prompt. This means an external server (context.usewhisper.dev) controls content that is injected into the agent's system/user prompt. A compromised or malicious API could return prompt injection payloads that override user instructions, exfiltrate additional data, or manipulate agent behavior.
HIGH Executable script source code not available for review -25 ▶
whisper-context.mjs is listed in the skill files and is the primary executable that handles all API communication, but its source code was NOT captured in the 'All Source Code' evidence section. Without reviewing this file, it is impossible to verify whether it only communicates with the declared API endpoint, reads additional sensitive files, performs local side effects, or contains obfuscated malicious behavior.
MEDIUM Local file content can be sent to external API via @path and stdin -10 ▶
The skill documents that local file contents can be piped to the external API via stdin ('--turn_json -') or the @path syntax. An agent following skill instructions could inadvertently send sensitive file contents to the third-party server.
MEDIUM Skill overrides agent default behavior patterns -5 ▶
The skill instructs the agent to modify its standard operating procedure by always calling query_context before model invocation and always running ingest_session after replies. This behavioral override persists across all interactions while the skill is active.
MEDIUM Memory and search operations transmit user data externally -10 ▶
memory_write, memory_search, and oracle_search all send user-generated queries and content to the external Whisper Context API, building a comprehensive profile of user preferences, queries, and knowledge on a third-party server.
LOW Version mismatch between metadata and skill manifest -5 ▶
_meta.json declares version 1.0.0 while SKILL.md frontmatter declares version 0.1.0. This inconsistency suggests either sloppy publishing or a mismatch between what was reviewed and what was published.
LOW Lock file references unrelated skill -3 ▶
The .clawhub/lock.json file references 'academic-research-hub' rather than 'whisper-context', which is unexpected for this skill package.
INFO Clean installation with no anomalous behavior 0 ▶
The install process performed a standard git clone with no unexpected network connections, process spawning, or filesystem modifications outside the skill directory.