Is branexp/gh-action-gen safe?

https://github.com/openclaw/skills/tree/main/skills/branexp/gh-action-gen

87
SAFE

This skill is a legitimate GitHub Actions workflow generator that uses OpenAI's API to convert plain English descriptions into YAML workflows. The main security considerations are environment file access for API credentials and data transmission to OpenAI, both of which appear to be legitimate for its intended functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Environment File Access -20

The skill accesses the .env file multiple times during execution. While this appears to be for legitimate purposes (reading OPENAI_API_KEY), it could potentially access other sensitive environment variables.

LOW External API Data Transmission -5

User input is transmitted to OpenAI's API for workflow generation. While this is the intended functionality, users should be aware that their descriptions are sent to a third-party service.

LOW Potential for Malicious Workflow Generation -15

While the skill itself is benign, it could potentially generate malicious GitHub Actions workflows if prompted maliciously by the user. This is primarily a user responsibility issue.