Is anuran-roy/alchemyst-mcp safe?
https://github.com/openclaw/skills/tree/main/skills/anuran-roy/alchemyst-mcp
The alchemyst-mcp skill is documentation-only with no executable code and a clean installation, but presents significant structural security concerns in agentic deployments. Its core function routes arbitrary data to a third-party external server (mcp.getalchemystai.com), and the skill explicitly instructs agents to proactively transmit query context and inject externally-stored content — including 'instruction' type documents — into agent reasoning without user prompting. This architecture creates a persistent remote prompt injection vector and a ready data exfiltration path when combined with file or network tools.
Category Scores
Findings (9)
HIGH Remote Prompt Injection via Instruction Context Type -25 ▶
The alchemyst_ai_add_context tool supports context_type: 'instruction', which stores persistent agent instructions in the external Alchemyst store. The skill instructs agents to retrieve and inject this content before every answer. Any party with write access to the Alchemyst account (or a compromised Alchemyst server) can inject persistent instructions into the agent's decision-making across all future sessions.
HIGH Core Function Routes All Stored Data to Third-Party External Server -35 ▶
The skill's primary purpose is to transmit documents, conversation history, meeting notes, code, and architectural decisions to mcp.getalchemystai.com. This is not hidden behavior, but users may not appreciate that every call to add_context permanently stores sensitive project data on Alchemyst's infrastructure under a user_id/organization_id key, outside the user's control.
HIGH Proactive Behavioral Modification Without User Request -15 ▶
The skill explicitly instructs the agent to call alchemyst_ai_search_context before answering ANY question that might involve project knowledge, without waiting for the user to request it. This silently modifies agent behavior to constantly poll an external server and inject its responses into the agent's reasoning.
MEDIUM Persistent User and Organization Identity Tracking -15 ▶
Every add_context and view_context call requires user_id and organization_id parameters. This creates a cross-session identity graph at Alchemyst's servers linking all stored context to specific user and org identifiers.
MEDIUM Combinatorial Exfiltration Risk With File/Network Tools -30 ▶
In an agent with filesystem or network tools, this skill provides a ready exfiltration path: read sensitive file → call add_context with file contents as document → data is now stored at mcp.getalchemystai.com. The proactive retrieval instruction also means query strings from all user conversations are transmitted to Alchemyst's servers as search queries.
MEDIUM Underdocumented External Scope Parameter -10 ▶
Both search and add_context support scope: 'external' in addition to 'internal'. The skill does not clearly define the security boundary of 'external' scope or whether it shares data beyond the user's organization.
LOW Canary Files Accessed — Consistent With Audit Framework -20 ▶
Sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, etc.) show OPEN/ACCESS events at timestamps 1771653344 and 1771653360. These are CLOSE_NOWRITE (read-only) and occur at times consistent with the oathe audit harness performing baseline scans, not with any installed skill code executing. No skill-attributable process spawned during install would access these files.
INFO No Executable Code Present 0 ▶
The skill consists entirely of documentation files. No JavaScript, TypeScript, Python, shell scripts, or compiled binaries are included. No package.json with lifecycle scripts. No git hooks. Installation is a clean file copy.
INFO Installation Network Activity Confined to GitHub 0 ▶
The only external network connection during install was to 140.82.121.3:443 (github.com), consistent with the git clone operation. No connections to mcp.getalchemystai.com or any other endpoint were observed during installation.