Is captchasco/captchas-openclaw safe?

https://github.com/openclaw/skills/tree/main/skills/captchasco/captchas-openclaw

91
SAFE

captchas-openclaw is a documentation-only integration skill providing tool schemas and configuration guidance for the CAPTCHAS Agent API. The SKILL.md contains no prompt injection, persona manipulation, or filesystem-access instructions; the install was clean with only an expected GitHub clone connection and no canary file compromise. The primary residual risk is structural: the unrestricted signals field and third-party API routing mean that an agent using these tools will transmit interaction data to captchasco infrastructure, which is inherent to any CAPTCHA service integration.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 74/100 · 5%

Findings (5)

LOW Unrestricted signals parameter transmits arbitrary data to external API -12

The captchas_agent_verify tool schema defines signals as {type: object, additionalProperties: true} with no required properties. An LLM agent may populate this with arbitrary contextual data, which is then transmitted to agent.captchas.co. While the skill instructs to avoid PII, there is no schema-level enforcement.

LOW Unvalidated media_url field -6

The captchas_agent_verify schema includes a media_url string field with no format or domain validation. Depending on how the CAPTCHAS backend processes this, it could be used for SSRF if the server fetches the URL, or an agent could inadvertently pass sensitive internal URLs.

INFO All agent tool calls route through third-party captchas.co infrastructure -5

By design, any agent using this skill sends verification requests to https://agent.captchas.co. Users should be aware that interaction data (action strings, signals, challenge answers) flows to captchasco's servers. This is expected for a CAPTCHA service but represents a data-sharing relationship.

INFO Cross-skill dependency reference -2

SKILL.md references captchas-human-verification/SKILL.md for workflow guidance. This creates a soft dependency on another skill that was not included in this audit scope.

INFO Clean install — only GitHub connection observed 0

The sparse checkout from the openclaw/skills monorepo connected only to GitHub (140.82.121.3:443). No connections to captchas.co, no unexpected process spawning, no writes outside the skill directory.