Is carlosfmtz/social-content-generator safe?

https://github.com/openclaw/skills/tree/main/skills/carlosfmtz/social-content-generator

95
SAFE

This social media content strategy skill is clean and safe to install. The SKILL.md contains no prompt injection, hidden instructions, executable code, or data exfiltration vectors. The only meaningful concern is a misuse of the _meta.json displayName field to embed a Stripe donation solicitation with an external URL, which is inappropriate for a structured metadata field but does not constitute a security threat. Canary file reads observed in monitoring are attributable to the audit framework's own baseline and verification passes, not the skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 97/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (4)

MEDIUM Donation solicitation with Stripe URL embedded in _meta.json displayName -12

The displayName field in _meta.json contains a multi-sentence donation appeal and an external Stripe URL (https://donate.stripe.com/bJe6oGaaQ9JC1jf15gdwc01) rather than a human-readable skill name. This misuses a structured metadata field to embed promotional content. If the platform or an agent surfaces displayName to users, it could be mistaken for agent-generated content endorsing a financial transaction. This is not a prompt injection into SKILL.md but is an integrity concern about the metadata layer.

LOW False capability claim: 'direct access to a scheduling platform' -5

SKILL.md opens with 'You are an expert social media strategist with direct access to a scheduling platform that publishes to all major social networks.' The agent has no such platform access unless separately configured. This could cause the agent to hallucinate or fabricate scheduling confirmations, misrepresenting its actual capabilities to users.

INFO Canary files accessed during monitoring window — attributed to audit infrastructure 0

Filesystem events and auditd PATH records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at timestamps 1771907025 (pre-install, concurrent with 'ss -tunap' baseline check) and 1771907049 (post-install verification). Both batches are consistent with the oathe audit framework's own canary integrity verification routines. Canary integrity system confirms all files intact with no content modification or exfiltration.

INFO Scraping tool recommendations could prompt agent tool use if misinterpreted 0

The 'SCRAPE' step in the Reverse Engineering section recommends Apify and PhantomBuster for collecting 500-1000+ social posts. An agent with browser or shell tool access might attempt to execute these recommendations literally. This is within the declared scope of the skill and would require significant misinterpretation, but is worth noting.