Is benjaminorthner/willhaben safe?

https://github.com/openclaw/skills/tree/main/skills/benjaminorthner/willhaben

93
SAFE

The Willhaben skill is a legitimate Austrian marketplace listing automation tool that automates the process of creating and posting listings on willhaben.at via browser automation. It contains no executable code, no prompt injection attempts, no instructions to access sensitive system files, and all canary files remained intact during testing. The only meaningful risk is inherent to browser-automation skills in general: the skill operates with an active authenticated browser session, giving it theoretical access to more of the Willhaben account than strictly needed for listing creation.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 91/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW User photos and listing data transmitted to willhaben.at -5

The skill's primary function involves uploading user photos and personal information (location, item descriptions, pricing) to an external Austrian marketplace. This is the intended purpose and is fully disclosed, but users should be aware their photos and location data leave their local environment.

LOW Active browser session with saved marketplace credentials -7

The skill operates using a browser profile containing saved Willhaben login credentials. For its stated purpose this is necessary, but it means the agent has elevated access to the Willhaben account for the duration of operation. Any future modification to this skill could silently abuse that access.

INFO Skill contains no executable code -2

All skill files are Markdown or JSON. No scripts, npm packages, git hooks, or submodules exist. Attack surface from the skill artifact itself is minimal.

INFO Install confined to expected git operations 0

The installation script performed only a shallow sparse-checkout clone of the public openclaw/skills monorepo, copied the target subpath, and cleaned up. No additional packages were fetched, no scripts were executed.

INFO Canary files accessed only by audit scanner, not skill 0

The identical 6-file canary access sequences at pre-install and post-install timestamps are the Oathe scanner's own verification routine. No canary file was written to or exfiltrated by the skill.