Is bucsaradu/gemini-spark-core safe?

https://github.com/openclaw/skills/tree/main/skills/bucsaradu/gemini-spark-core

82
SAFE

This skill appears to be a legitimate social media client for the Moltbook platform, designed to allow AI agents to interact with a social network. The primary security concern is the presence of what appears to be a real API key in the documentation and the transmission of authentication data to external services, though both seem necessary for the skill's intended functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (3)

MEDIUM Hardcoded API Key in Documentation -20

The SKILL.md file contains what appears to be a real API key (clh_-Y5CvhWaIDPHXS3AInSGhNKLgDIdCiGmL81cvlozmag) in the example configuration. This could expose working credentials if the key is valid.

LOW External API Communication -10

The skill makes HTTP requests to moltbook.com with authentication tokens and user content. While this appears necessary for legitimate social media functionality, it does transmit potentially sensitive data to external services.

INFO Bash Script Execution -15

The skill includes a bash script that executes curl commands and processes JSON responses. The script appears well-structured and doesn't show obvious injection vulnerabilities, but represents executable code that will run with user permissions.