Is bywallace/kubera-skill safe?

https://github.com/openclaw/skills/tree/main/skills/bywallace/kubera-skill

86
SAFE

The kubera-skill is a legitimate, well-implemented Kubera.com API client with no prompt injection, hidden exfiltration, malicious code, or anomalous install behavior. The skill code is clean Python (standard library only), communicates exclusively with api.kubera.com, and is transparent about its capabilities. The primary risk is structural rather than malicious: the skill grants AI agents full read access to a user's complete financial portfolio and write access to individual asset records, making it a high-value target if the agent is subject to prompt injection from other sources and a significant privacy concern if agent conversations are logged or stored.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

HIGH Complete financial portfolio routed through agent context -25

The skill's core function is to read and output a user's complete financial portfolio — net worth, all asset and debt balances, investment holdings, cost basis, unrealized gains, allocation percentages, and more. The 'json' subcommand returns the raw API response including insurance policies and document metadata. Every invocation causes this highly sensitive financial PII to transit the agent's context window, where it may be stored in conversation logs, RAG databases, or training data pipelines. This is inherent to the skill's purpose but users must understand the data-handling implications.

HIGH AI agent write access to financial records via update subcommand -15

The 'update' subcommand issues authenticated POST requests to modify asset or debt records in Kubera. The only safeguard is a --confirm CLI flag, which an AI agent in any automated workflow would supply without user confirmation. An adversarial prompt injection in user-provided content or a co-installed malicious skill could instruct the agent to corrupt financial records, set asset values to zero, or plant false valuations that affect portfolio reporting.

MEDIUM Highly sensitive financial data transits agent context in plaintext -15

All read subcommands (summary, assets, search, json) cause detailed financial data to flow through the agent's output channel. If the agent platform logs conversations, indexes context for RAG, or forwards responses to analytics pipelines, this financial data is exposed. The risk is amplified because the data is comprehensive — not just totals but individual account names, tickers, exact balances, and tax details.

LOW Executable Python script makes authenticated API calls -10

The skill bundles scripts/kubera.py, an executable Python script that makes HTTPS requests to api.kubera.com. The code is clean — standard library only, no subprocess, no eval, no dynamic imports. The HMAC-SHA256 signature logic is correctly implemented. The concern is limited to the 'update' path which performs write operations.

LOW API credentials exposed in environment variables -5

The skill requires KUBERA_API_KEY and KUBERA_SECRET to be set as environment variables. Environment variables are readable by all processes running as the same user, may appear in /proc/*/environ, core dumps, and crash reporters. The SKILL.md appropriately recommends read-only API keys, which limits the blast radius of credential compromise.

INFO Standard monorepo sparse-checkout installation — no anomalies 0

Installation executed a git sparse-checkout of only the target skill subdirectory from the openclaw/skills monorepo, followed by a cp to the install directory and cleanup of the temp clone. All network traffic during install went to GitHub (140.82.114.3:443). No unexpected processes, no persistence mechanisms, no filesystem changes outside the designated install path.

INFO Canary file accesses attributable to monitoring system, not skill 0

PATH audit records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two discrete timestamps: 1771937860 (pre-install, before git clone began) and 1771937882 (post-install, after cp completed). This timing pattern is consistent with the Oathe monitoring system performing integrity-baseline and post-install canary checks. The kubera.py source code contains no references to any of these paths. The canary integrity monitor confirms all files are intact.