Is brokenwatch24/unsplash safe?

https://github.com/openclaw/skills/tree/main/skills/brokenwatch24/unsplash

93
SAFE

The brokenwatch24/unsplash skill is a documentation-only Unsplash API integration containing no executable code, no git hooks, no submodules, and no prompt injection attempts. The sole anomaly is a misplaced '/v1/messages' path in the Rate Limits section — Anthropic API terminology that does not belong in Unsplash documentation — which appears to be a template artifact and carries no security impact. Honeypot file accesses observed in monitoring logs predate the git clone and are consistent with the oathe framework's own canary baseline verification, not any action by the skill.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW Erroneous '/v1/messages' endpoint reference in Rate Limits section -12

The SKILL.md Rate Limits section states 'Only /v1/messages endpoints count; image URLs (images.unsplash.com) don't'. The path /v1/messages is an Anthropic Claude API endpoint, not an Unsplash endpoint. Unsplash's actual rate limit documentation refers to API calls to api.unsplash.com generally, not a /v1/messages path. This appears to be a copy-paste artifact from an Anthropic API skill template. It is purely informational text with no directive or behavioral effect on an agent; an agent reading this would not be instructed to call /v1/messages or take any harmful action.

INFO Honeypot files read during monitoring lifecycle — not attributable to skill -10

inotify and auditd recorded OPEN/ACCESS events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json at two points: (1) at 04:24:12 (audit timestamp 1771734252), which is before the git clone began at 04:24:18 (1771734258); and (2) at approximately 1771734273 after install completion. The pre-clone timing rules out the skill as the source. The most parsimonious explanation is that the oathe monitoring framework reads canary files at start and end to compute integrity hashes. The skill has no code and no mechanism to trigger file access. All canary content was confirmed intact.

INFO Skill documents credential storage in ~/.config/unsplash/access_key 0

SKILL.md instructs users to store Unsplash access keys at ~/.config/unsplash/access_key with chmod 600. This is standard practice for per-user API credentials. The skill author has no ability to read this file; storage location is entirely user-controlled. This represents normal API onboarding documentation, not a supply-chain credential harvesting attempt.

INFO Shallow monorepo clone fetches more content than the target skill -5

The installer performs a shallow clone of the entire openclaw/skills monorepo before doing a sparse-checkout of the target subpath. This means the git object pack downloaded contains more data than just the brokenwatch24/unsplash skill. This is an installer methodology observation, not a malicious behavior by the skill itself, and is consistent with how monorepo-based skill registries work.

INFO Skill enables outbound API calls and credential access at agent runtime -15

When active in an agent, this skill would guide the agent to read UNSPLASH_ACCESS_KEY from the environment or ~/.config/unsplash/access_key and make HTTPS calls to api.unsplash.com. This is the skill's stated and legitimate purpose. Rate limit exhaustion and bulk image downloads are the primary abuse scenarios, both of which require the user to direct the agent toward excessive photo retrieval.