Is caebixus/chaterimo-openclaw-skill safe?

https://github.com/openclaw/skills/tree/main/skills/caebixus/chaterimo-openclaw-skill

90
SAFE

The chaterimo-openclaw-skill is a documentation-only skill (SKILL.md + _meta.json, zero executable code) that provides read-only integration with Chaterimo's e-commerce customer service API. No prompt injection, active data exfiltration, malicious code execution, or canary compromise was detected; the skill's install-time attack surface is effectively zero. The primary residual concerns are the inherent sensitivity of customer conversation data retrieved at runtime and the unverifiable server-side PII redaction claim, neither of which represents a malicious intent by the skill author.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

LOW Canary credential files accessed during monitoring -8

Six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) were read at two points during the audit window. All files are confirmed intact with no modification or exfiltration. Because the skill contains zero executable code, these reads cannot have originated from the skill; they are attributable to the oathe audit framework's canary-setup (pre-clone, ~04:21:09) and post-install integrity-check (~04:21:28) operations. Flagged for transparency.

LOW Skill retrieves full customer conversation transcripts -12

The skill's core functionality is reading customer service conversations from the Chaterimo API, including full message transcripts. Server-side PII redaction (email → [EMAIL], phone → [PHONE]) is claimed but cannot be independently verified. Conversation content may include order details, complaints, product questions, and other sensitive e-commerce data beyond the stated redaction categories.

INFO Third-party API credential required in execution environment -8

The skill requires CHATERIMO_API_KEY to be exported in the agent's environment. This is standard for API integrations but means a third-party service credential is present in the process environment accessible to any code running in that context.

INFO External URLs in skill documentation -5

SKILL.md contains several hyperlinks to chaterimo.com (homepage, blog, API keys page) and GitHub. These appear in informational documentation sections and do not instruct the agent to autonomously fetch them. No prompt injection risk identified from this content.

INFO Skill is documentation-only with no executable artifacts -2

The installed skill consists exclusively of SKILL.md and _meta.json. No package.json, npm install scripts, git hooks, .gitattributes smudge/clean filters, .gitmodules, symlinks, or any executable code were found. The install-time code execution surface is zero.

INFO Expected GitHub sparse-checkout connection during installation -5

Installation performed a shallow sparse checkout of the openclaw/skills monorepo to extract only the chaterimo skill subdirectory, then removed the temporary clone. The sole external connection was to 140.82.121.3:443 (github.com). A pre-existing Canonical/Ubuntu connection (91.189.91.49:443) was present before install and absent after; it is unrelated to the skill. No new network listeners or persistent connections appeared post-install.

LOW Indirect data exposure risk via multi-skill composition -20

In isolation this skill is read-only and limited. However, when active alongside file-write or HTTP-request tools, an adversarial prompt or malicious conversation content could direct the agent to retrieve conversation transcripts and forward them externally. Additionally, Chaterimo's BYOK model means the user's own OpenAI, Anthropic, Google, or xAI API keys are stored within the Chaterimo platform, creating a secondary supply-chain credential risk if Chaterimo itself were compromised.