Is bt0r/sure safe?

https://github.com/openclaw/skills/tree/main/skills/bt0r/sure

93
SAFE

The bt0r/sure skill is a minimal, documentation-only integration for the Sure personal finance application. It contains no executable code, no prompt injection vectors, no hardcoded exfiltration endpoints, and no malicious install-time behavior — the git clone contacted only GitHub and the network state was unchanged post-install. The only material risks are inherent to its function: an API key is transmitted to a user-controlled endpoint and financial account data enters the agent's context, both expected behaviors for a financial API skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

LOW API key transmitted to user-configured endpoint -7

The curl command in SKILL.md sends the SURE_API_KEY value as an HTTP header to whatever host is set in SURE_BASE_URL. While this is the intended design and the user controls SURE_BASE_URL, a misconfigured or attacker-manipulated BASE_URL could result in API key disclosure on invocation.

LOW Financial account data enters agent context -5

The skill retrieves personal financial account balances and returns them to the LLM agent's context window. This is the intended behavior, but it means sensitive financial data is processed by the model. Users should be aware this data could appear in conversation logs or be forwarded by other skills.

INFO Canary file accesses attributed to audit framework 0

Inotify and auditd logs show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. Timestamp analysis places these accesses at 1771938963 (5 seconds before the git clone at 1771938968) and 1771938989 (after installation completed), consistent with Oathe framework canary initialization and post-install integrity verification, not skill-originated activity.

INFO Skill is documentation-only with no executable components 0

The skill contains only SKILL.md and _meta.json. No scripts, compiled binaries, git hooks, submodules, or install triggers are present. The curl command shown is illustrative documentation, not an auto-executing script.