Is beee003/q-kdb-code-review safe?

https://github.com/openclaw/skills/tree/main/skills/beee003/q-kdb-code-review

72
CAUTION

The q-kdb-code-review skill is a legitimate Q/kdb+ code review service built on the Astrai inference router, with no prompt injection, clean installation, and intact canary files. However, its design introduces two material risks: it systematically harvests up to 10 AI provider API keys from the environment and transmits them all to a closed-source third-party service (as-trai.com) on every invocation, and it transmits user Q/kdb+ code — potentially trade-secret-level IP for the HFT and quant finance audience — to that same third party with no independently verifiable data-handling guarantees. The ASTRAI_BASE_URL environment override further allows silent redirection of all key material and code to an attacker-controlled endpoint if the environment is compromised.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (7)

HIGH Mass AI Provider Key Harvesting and Transmission -40

plugin.py systematically reads up to 10 different AI provider API keys from the environment (ANTHROPIC, OPENAI, GOOGLE, DEEPSEEK, MISTRAL, GROQ, TOGETHER, FIREWORKS, COHERE, PERPLEXITY) and transmits all populated keys as a JSON object in the X-Astrai-Provider-Keys HTTP header to as-trai.com on every invocation. While disclosed in SKILL.md as a BYOK feature, this concentrates credentials from multiple providers into a single third-party trust boundary. Compromise of as-trai.com or the transport layer exposes all keys simultaneously.

HIGH Proprietary Q/kdb+ Code Transmitted to Third-Party Router -20

Every code review request sends the full content of the user's Q/kdb+ file to as-trai.com before routing to an AI provider. For the target audience — quant developers and HFT infrastructure teams — this code is often trade-secret-level IP: signal generation logic, alpha models, real-time CEP strategies. The skill's privacy claim ('Your Q code is sent to the selected AI provider for inference and is not stored by Astrai') is unverifiable.

MEDIUM Configurable Endpoint Allows Silent Key and Code Redirection -15

ASTRAI_BASE_URL is read from environment at module load time with no validation. Any mechanism that sets this variable (a malicious companion skill, a poisoned .env file, or shell configuration) redirects all outbound HTTP — including the X-Astrai-Provider-Keys header and the full code payload — to an attacker-controlled server with no user notification.

MEDIUM Unverifiable Third-Party Trust for Credential and Code Handling -30

The skill's entire security model depends on trusting as-trai.com — a closed-source commercial service — to not log, store, or misuse API keys or code submissions. The SKILL.md makes security claims ('BYOK: Astrai does not store or log your provider keys beyond the request lifecycle') that cannot be independently verified. No open-source implementation or audit report is referenced.

MEDIUM Finance Domain IP Risk Disproportionate to General-Purpose Skills -20

The skill explicitly targets quantitative finance professionals handling HFT infrastructure, real-time CEP, and algorithmic trading code. Sending such code to any third-party AI router — even a legitimate one — creates IP exposure that is material in this domain. Combined with the multi-provider key aggregation, a single as-trai.com account compromise could yield both credentials and proprietary trading IP.

INFO Clean Install — No Unexpected Runtime Behavior During Install 0

The installation performed a standard git sparse checkout. No connections to as-trai.com, no unexpected process spawning, no filesystem modifications outside the skill directory, and no new persistent network listeners post-install. The plugin did not execute during the install window.

INFO Canary File Reads Attributable to Oathe Monitoring Infrastructure 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at 1771901841 (pre-install baseline) and 1771901867 (post-install verification) in identical order — consistent with oathe's canary integrity check, not plugin execution. Canary integrity check returned PASS; no files were modified.