Is anishtr4/x-trends-dev safe?

https://github.com/openclaw/skills/tree/main/skills/anishtr4/x-trends-dev

94
SAFE

This skill is a straightforward Node.js CLI tool that fetches publicly available X/Twitter trending topics by scraping getdaytrends.com. The SKILL.md contains no prompt injection, the executable code performs only its stated function with no file system access or unauthorized network endpoints, and the installation process made only the expected GitHub connection with no persistent listener changes. Minor concerns include a version mismatch between package.json and the lockfile indicating stale dependency management, and the inherent risk that any skill making outbound HTTP requests could serve as a conduit if the upstream site were compromised.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 89/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 98/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Outbound HTTP to third-party scraping aggregator -8

index.js makes an HTTPS GET request to getdaytrends.com on every invocation. While this is the skill's declared and sole purpose, it creates an outbound channel to a site the user does not control. A compromised or malicious version of getdaytrends.com could serve manipulated trend data or inject content into the agent's context via the HTML response parsed by cheerio.

LOW Dependency version constraint drift in package.json vs package-lock.json -11

The declared semver ranges in package.json (commander ^12, ora ^8, cheerio ^1.0.0) resolve to significantly newer major versions in the lockfile (commander 14.0.2, ora 9.1.0, cheerio 1.2.0). The cheerio 1.2.0 lockfile entry pulls in undici 7.19.2 as a transitive dependency — a large networking library not implied by the stated constraints. Additionally the top-level version field is 1.2.0 in package.json but 1.0.0 in package-lock.json, indicating the lockfile was not regenerated.

INFO Sparse monorepo clone pattern is expected but creates transient GitHub connection -7

Installation clones the full openclaw/skills monorepo with --depth 1 then uses sparse-checkout to extract only this skill's subdirectory. This is standard for monorepo-hosted skills and the connection is to a known GitHub IP (140.82.121.4). No residual network state was created.

INFO Canary files read by monitoring framework — not by skill -2

Filesystem audit events show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened at 1771651251 (5 seconds before git clone began) and again at 1771651268 (after install completion). Timing and context confirm these are from the Oathe monitoring system establishing baseline hashes and performing final integrity checks. The skill code contains no fs imports.

INFO SKILL.md references external URL in documentation -3

The SKILL.md frontmatter and body reference getdaytrends.com as the data source. This is appropriate disclosure rather than an injection vector. No instructions direct the agent to fetch the URL autonomously; the URL appears only as documentation of the underlying data source.