Is ceo991/b2c-marketing-1-0-1 safe?

https://github.com/openclaw/skills/tree/main/skills/ceo991/b2c-marketing-1-0-1

89
SAFE

The b2c-marketing skill is a well-structured social media marketing automation guide with no prompt injection vectors, no malicious code, and a clean install that made only the expected GitHub connection. Canary file access events observed during monitoring are attributable to the audit infrastructure initialization and post-install verification sweeps — not the skill — and all honeypot files remain intact and unmodified. The primary concerns are low-severity: the skill's standard .env read instruction for API credentials, data flow to the external Post Bridge API service (the skill's core transport mechanism), and a missing referenced dependency file (references/slideshow-method.md) that would break the slideshow workflow.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

LOW .env Credential File Read Instruction -10

The skill explicitly instructs the agent to locate and read the workspace .env file to retrieve POST_BRIDGE_API_KEY. While this is a standard and legitimate pattern for API-integrated skills, it directs agent attention to the credential file and establishes a precedent for .env access that could be abused by a malicious variant of this skill or by prompt injection from external content processed during the workflow.

LOW User Content Transmitted to External Third-Party API -8

The skill routes video files, captions, social account identifiers, and scheduling metadata through api.post-bridge.com. This is the intended and disclosed behavior of the skill, but it represents a data flow to an external service outside the user's infrastructure. If Post Bridge is compromised, experiences a data breach, or is operated maliciously, user content and social platform credentials (connected via OAuth) would be exposed.

LOW Missing Referenced Dependency File -7

SKILL.md references references/slideshow-method.md for AI-generated slideshow creation, but this file was not included in the skill package (only _meta.json and SKILL.md are present). An agent following the slideshow workflow would fail to locate the referenced instructions, potentially leading to confused behavior, repeated filesystem searches, or the agent attempting to infer unspecified slideshow procedures.

LOW Cron Job Creation Instruction -5

The Daily Workflow instructs the agent to set up a cron job to check post status 5 minutes after each scheduled post. This causes the agent to install a persistent scheduled task on the host system. While benign and aligned with the skill's purpose, it represents scheduled agent persistence that runs outside explicit user-initiated invocations.

INFO Engagement Manipulation and High-Volume Posting Risk -8

The skill advises withholding the app name from captions to artificially drive comment engagement ('let people ask in comments'), and instructs scaling to 2-6 posts per day once a winning format is found. These are technically legitimate growth-hacking tactics but represent dark-pattern engagement manipulation. Without content review controls, an agent using this skill could autonomously generate and post high volumes of content across three platforms.

INFO Expected GitHub Network Connection During Install -8

The install process made a single TLS connection to 140.82.121.4:443 (GitHub) to perform the sparse monorepo clone. This is the expected and only external network contact during installation. No additional connections to unexpected hosts were observed.