Is code-with-brian/shelter safe?
https://github.com/openclaw/skills/tree/main/skills/code-with-brian/shelter
The Shelter skill is a legitimate financial API integration for shelter.money that connects agent workflows to real bank data via Plaid. The SKILL.md content is clean with no prompt injection, hidden instructions, or malicious behavioral directives. The primary concerns are architectural rather than adversarial: the skill by design routes financial queries and API keys to a third-party service operator (nextauralabs), a $SHELTER_API_URL environment variable creates a silent redirect vector, and npm lifecycle scripts write to the user's Claude configuration directory during installation. No evidence of credential exfiltration was detected in the sandboxed clone.
Category Scores
Findings (6)
MEDIUM Third-party financial service routes all queries and API key -20 ▶
By design, every endpoint call transmits the user's SHELTER_API_KEY as an HTTP header to api.shelter.money. POST endpoints additionally send user-supplied text (purchase descriptions, freeform questions). The skill's read-only claim is unverifiable from the client side — the API key's actual server-side permissions depend entirely on shelter.money's access control implementation.
MEDIUM $SHELTER_API_URL environment variable enables silent API key redirect -15 ▶
The base URL is constructed as ${SHELTER_API_URL:-https://api.shelter.money/agent}, meaning any process or configuration that sets SHELTER_API_URL can redirect all traffic — including the Bearer API key — to an arbitrary HTTPS host. An attacker with access to the agent's environment (e.g., via a malicious dotfile or CI/CD variable injection) could harvest the key and full financial query payloads.
LOW NPM lifecycle scripts execute Node.js code and write outside package directory -18 ▶
The postinstall script (install-skill.js) runs automatically on npm install and writes SKILL.md and the references/ directory to either ~/.claude/skills/shelter/ (global) or .claude/skills/shelter/ (project). The script was reviewed and is benign, but this pattern grants the package filesystem write access to the user's Claude configuration directory as a side effect of installation without explicit user confirmation of file placement.
LOW New outbound TCP connections and local listeners appeared post-install -27 ▶
The network connection diff shows the openclaw-gateway process established two new ESTABLISHED connections (44.214.208.192:443 and 104.16.8.34:443) and opened two new TCP listeners (127.0.0.1:18790, [::1]:18790, 127.0.0.1:18793) that were not present before the skill was installed. The connections are attributed to the agent framework, not the skill's own code, and are likely telemetry or skill-registry update traffic. However, the exact purpose of these connections is not documented in the skill.
LOW Real bank data access requires trusting an unaudited third-party operator -35 ▶
Shelter connects user bank accounts via Plaid, giving shelter.money persistent read access to transaction history, balances, and recurring charges. The skill correctly documents this as read-only and scoped, but the user has no way to verify the server-side access control. The skill's usefulness is entirely predicated on trusting nextauralabs/shelter.money as a financial data processor — a relationship that should be established independently before installing the skill.
INFO Canary credential files accessed during monitoring window -5 ▶
Credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed at two points during monitoring (1771935529.475 and 1771935545.867). The access pattern is consistent with the audit harness performing initial canary setup and final integrity verification. The honeypot confirmed all files intact with no exfiltration.