Is arrmlet/social-data safe?

https://github.com/openclaw/skills/tree/main/skills/arrmlet/social-data

92
SAFE

This skill is a documentation-only resource (SKILL.md + _meta.json) with no executable code, no install-time scripts, no git hooks, and no prompt injection content. It provides clean API documentation for the Macrocosmos SN13 social media data service on Bittensor. The audit environment detected read-only accesses to canary credential files, but timing analysis conclusively places these accesses before the skill was cloned and after examination completed, pointing to audit infrastructure baseline checks rather than the skill; the canary integrity system confirms all files intact. The only substantive concerns are minor: a declared MC_API environment variable dependency and the inherent potential for the social media data collection functionality to be misused for surveillance under adversarial user instructions.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

LOW Canary credential files accessed read-only during audit session -13

All six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) were opened and read during the audit. All access events are CLOSE_NOWRITE (no modification). The first batch occurs at inotify timestamp 05:37:41 / auditd 1771652261.752, which is ~5 seconds before the git clone begins at 1771652267.266 — the skill could not have caused pre-clone accesses. The second batch at 1771652283.895 occurs after the skill examination completes. Pattern (all six files accessed atomically, twice, bracketing the session) matches oathe audit infrastructure performing baseline and exit-state canary checks. The skill itself contains zero executable code. Canary integrity system confirms no exfiltration occurred.

LOW Social media surveillance potential via username and bulk collection APIs -20

The skill exposes both real-time per-user tweet lookups and a multi-day crawl API (Gravity) capable of building Parquet datasets of up to 10,000+ rows per crawler. Under adversarial user instructions, an agent equipped with this skill could be directed to continuously monitor a specific individual's social media activity, map follower/following networks, or build dossiers from public posts. This is a misuse vector enabled by the skill's legitimate functionality, not by any malicious design in the skill itself.

INFO MC_API environment variable declared as required secret 0

The skill transparently declares MC_API as a required secret environment variable passed as a Bearer token. Agents will be directed to read this variable when making API calls. The declaration is explicit and follows standard secret-injection practice; no attempt is made to read additional environment variables or use the key for anything beyond the stated API authentication purpose.

INFO Python and curl code examples present but non-executable on install 0

SKILL.md includes curl and Python code blocks demonstrating API usage. These are injected into the agent's context as documentation and are only executed if the agent actively runs them via tool calls. They do not execute during installation and contain no malicious payloads — all examples use placeholder 'YOUR_API_KEY' strings and target only the declared API endpoint.