Is calbabyjr/visa-business-planner safe?

https://github.com/openclaw/skills/tree/main/skills/calbabyjr/visa-business-planner

93
SAFE

The visa-business-planner skill is a legitimate, well-scoped tool for Japanese Business Manager Visa planning. Static analysis of SKILL.md reveals no prompt injection, persona manipulation, or hidden instructions. The included Python script (financial_projection.py) is a benign math utility with no network or filesystem access. Canary honeypot files passed integrity checks; observed accesses are attributable to the oathe monitoring framework's own baseline and verification cycles, not to skill code. The only minor concerns are the presence of an executable Python file (declared feature) and an implicit web access requirement (disclosed in SKILL.md).

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

LOW Executable Python script included -15

financial_projection.py is a runnable script that an agent could invoke via shell. The script is clean — it imports only sys, performs arithmetic on command-line arguments, and prints results. No network calls, subprocess usage, or filesystem access. Risk is limited to an agent being manipulated into passing malicious arguments, which is mitigated by the script's lack of eval or shell invocation.

LOW Implicit web access requirement -5

SKILL.md states 'Access to web for latest market data' as a requirement. This is disclosed and user-beneficial, but means the skill may cause agents to fetch external market data URLs during normal operation. The SKILL.md itself does not specify which URLs to fetch, leaving this to user requests.

INFO Canary files read by monitoring framework (not skill) 0

Audit records show canary files (.env, id_rsa, .aws/credentials, etc.) read at timestamps 1771738680 and 1771738702. Timing analysis confirms these correspond to the oathe framework's pre-install baseline capture and post-install integrity verification cycles, not to any skill-initiated code. The skill's only executable (financial_projection.py) has no file I/O. Canary integrity passed.

INFO Only GitHub contacted during installation 0

Network monitoring confirms the sole external TLS connection during skill installation was to 140.82.121.3:443 (GitHub) for the git sparse-checkout clone. This is the expected behavior of the oathe installer script. No DNS queries to unexpected domains and no connections to attacker-controlled infrastructure observed.