Is christiancattaneo/ipeaky safe?

The test_key.sh script and SKILL.md test instructions make real HTTP requests carrying API keys in Authorization headers to provider endpoints (api.openai.com, api.elevenlabs.io, api.anthropic.com, api.search.brave.com, generativelanguage.googleapis.com). While these are legitimate endpoints, this is network egress with sensitive credential material and any MITM or compromised provider endpoint could capture key values.

Keys stored via gateway config.patch into openclaw.json are automatically injected into every skill declaring a matching primaryEnv. The README explicitly states 'Trade-off: Keys in openclaw.json are available to all skills that declare the matching primaryEnv.' A malicious skill installed alongside ipeaky can silently harvest any key stored by this skill without user awareness.

The skill's description field triggers on a wide set of phrases including 'add API key', 'store my key', 'manage keys', 'test my key', 'set up API key', and additionally activates 'when a skill requires an API key that isn't configured.' The last trigger is particularly broad — it means ipeaky will auto-invoke whenever any other skill is missing a key, potentially inserting itself into unrelated workflows.

The skill instructs the agent to act autonomously on key-like strings found in chat without an explicit per-instance confirmation step: 'If a user pastes a key directly in chat, store it immediately.' This coerces the agent into taking a storage action that the user may not have intended as a command.

test_key.sh is a bash script that reads a key from stdin and passes it in curl HTTP headers to external APIs. While the script has good hygiene (set -euo pipefail, no eval, key masking in output), it represents executable shell code that performs credentialed outbound network calls.

secure_input_mac.sh invokes osascript to present a UI dialog. osascript can automate virtually any macOS application and UI action. The specific usage here is constrained to a display dialog command with hidden input, but the binary itself has capabilities far beyond what is used.

Auditd PATH records show accesses to all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/credentials) at timestamp 1771940171.923, after skill installation completed at ~1771940167. However, no EXECVE records from skill scripts correlate to these accesses, the canary integrity check confirms all files intact and unmodified, and the access pattern (all six files at exactly the same second) is consistent with automated monitoring rather than malicious activity.

ipeaky concentrates all API keys into a single openclaw.json file accessible to the entire skill runtime. The individual skill is not malicious, but the architecture creates a high-value target. Risk is proportional to how many other skills are installed and whether any of them are compromised.