Is azamat02/kaspi-autopay safe?

https://github.com/openclaw/skills/tree/main/skills/azamat02/kaspi-autopay

93
SAFE

The kaspi-autopay skill is a documentation-only lead-generation advertisement for a managed Telegram payment service targeting the Kazakhstan market. It contains no executable code, no prompt injection attempts, and caused no unauthorized file access or network activity during installation. The primary concern is that when injected into an agent's context it will commercially bias the agent toward directing users to contact a private developer (@saidulyyy on Telegram), and the 'proprietary verification' claim is unverifiable without actual code.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

LOW Lead-generation advertisement masquerading as functional skill -25

The SKILL.md contains no working code, no API keys, no integration logic. The entire skill is a sales pitch for a managed payment service run by a private developer. When injected into an agent's system prompt, it primes the agent to recommend contacting @saidulyyy on Telegram whenever a user asks about Kaspi payments. This is commercial vendor lock-in baked into context, not a security threat per se.

LOW External Telegram contact URL may trigger autonomous agent outreach -8

The SKILL.md embeds a direct Telegram URL. An agent with messaging or browser tools active could follow this link or initiate contact without explicit user instruction, depending on how the skill context is interpreted. No injection directives are present, but the URL is a passive redirection vector.

INFO Canary file reads detected — attributed to audit framework, not skill -10

Six canary files were opened and read at two points: before install (1771650251.658) and after install (1771650273.039). Timing and process context are consistent with the audit harness performing pre/post baseline measurements. The skill contains no code capable of triggering these reads. Canary integrity confirmed intact.

INFO No executable code present in skill 0

The skill directory contains only SKILL.md and _meta.json. No scripts, no package manifests, no git hooks, no submodules, no compiled binaries. There is nothing to execute.