Is bennyqp/datafast-analytics safe?
https://github.com/openclaw/skills/tree/main/skills/bennyqp/datafast-analytics
The bennyqp/datafast-analytics skill is a straightforward API wrapper for the DataFast analytics service with no prompt injection, hidden code, or malicious network behavior detected. Sensitive file reads observed in monitoring are conclusively attributable to the oathe test harness (occurring 5 seconds before the git clone began) rather than to the skill itself, and all canary files remain intact. The primary risks are operational: destructive DELETE endpoints for goals and payments, exposure of visitor PII through the declared API, and the inherent prompt-injection surface created by parsing untrusted JSON responses from an external service.
Category Scores
Findings (7)
MEDIUM Destructive bulk-delete endpoints exposed to agent -10 ▶
The skill surfaces DELETE /goals and DELETE /payments as agent-callable actions. While SKILL.md includes a confirmation step and requires echoing the final URL, a sufficiently crafted user prompt or a secondary skill could bypass these soft guards. Mass deletion of conversion goals or payment records would cause irreversible data loss for the user's analytics account.
MEDIUM Skill handles visitor PII through declared external API -10 ▶
The DataFast API surfaces visitor-level behavioral data (device, referrer, location, goals, payment metadata including email addresses) through multiple endpoints. The agent is instructed to summarize and display this data. While transmission is to the declared service only, the skill introduces a PII data flow that users should be aware of before installation.
LOW API response injection surface via external JSON parsing -8 ▶
The skill instructs the agent to execute curl and parse JSON responses from an external service (datafa.st). If DataFast's API were compromised or if the skill were pointed at a spoofed endpoint, JSON field values (e.g., referrer names, page titles, goal names) could contain embedded LLM instructions that the agent might act on when summarizing results.
LOW Unresolved template variable {baseDir} in local file reference -8 ▶
SKILL.md instructs the agent to read a local reference file using the path '{baseDir}/references/datafast-api-docs.md'. The variable {baseDir} is never defined within the skill. Depending on how OpenClaw resolves this, the agent may attempt to read an arbitrary filesystem path, fail silently, or resolve to an unintended directory. This could be exploited if {baseDir} can be influenced by environment variables or a companion skill.
LOW Agent instructed to execute shell commands via curl -8 ▶
The skill's primary interaction pattern requires the agent to construct and execute curl shell commands to call the DataFast API. This is disclosed in the skill description but grants the skill the ability to direct outbound network requests with arbitrary headers and bodies using the agent's shell access. A maliciously crafted user request could cause the agent to add unexpected curl flags or headers.
INFO Skill distributed via shared OpenClaw monorepo, not author's own repository 0 ▶
The skill is installed via sparse checkout of github.com/openclaw/skills — a shared platform monorepo — rather than a standalone repository. This means the install path is controlled by the OpenClaw platform maintainers and the skill content is what was reviewed. The commit hash is pinned in _meta.json.
INFO Canary file reads attributable to test harness, not skill 0 ▶
File access events for /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials appear in monitoring at timestamps 1771733739 and 1771733758. The git clone did not begin until 1771733744, confirming the first batch of reads predates any skill code execution. Both batches are consistent with oathe's canary setup and teardown procedures. All canary files remain unmodified.