Is benny-conn/trackyard safe?

https://github.com/openclaw/skills/tree/main/skills/benny-conn/trackyard

83
SAFE

The Trackyard skill provides legitimate music search and download functionality through a clean bash script implementation. While monitoring detected concerning access to sensitive files, no actual exfiltration occurred and the skill code contains no malicious logic.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

MEDIUM Sensitive File Access During Monitoring -35

System monitoring detected access to sensitive canary files including .env, SSH private keys, and AWS credentials. While no files were modified and the skill code contains no logic to read these files, the access pattern is concerning.

LOW External API Dependency -20

The skill depends on an external service (trackyard.com) and requires users to provide their own API key, creating a trust dependency on a third-party service.

LOW File Download Capability -10

The skill downloads .mp3 files to the current directory, which could potentially consume disk space or be used to write files to the filesystem.