Is codevena/agorahub safe?

https://github.com/openclaw/skills/tree/main/skills/codevena/agorahub

77
CAUTION

The codevena/agorahub skill is a clean, well-structured documentation artifact with no prompt injection, no executable code, and a clean installation. However, its core design routes all processed data (JWT tokens, hashes, base64 payloads, JSON, CSV) through the third-party server agorahub.dev, creating a systematic data-leak vector when agents use the utilities on real application data. The JWT Decoder poses the highest individual risk in agent contexts where live authentication tokens may be inadvertently exfiltrated.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (7)

HIGH JWT Decoder sends live tokens to third-party server -35

The JWT Decoder tool POSTs complete JWT tokens to https://agorahub.dev/api/mcp/tools/call. In agent contexts, agents regularly encounter live access tokens, refresh tokens, and session JWTs in codebases and environment variables. An agent invoking this utility on a real token exfiltrates that token to agorahub.dev, where it could be logged or replayed.

HIGH All utility processing routes data to external server -25

Every function in this skill (hashing, base64 encoding/decoding, JSON formatting, CSV conversion, regex testing, text analysis) transmits the input data to https://agorahub.dev. An agent that uses these utilities on sensitive content — config files, database exports, environment variable values — will systematically exfiltrate that content to a third party. This is inherent by design, not incidental.

MEDIUM Hash Generator receives plaintext before hashing -10

The hash utility sends plaintext to the external server which then computes the hash server-side. This means the plaintext (potentially a password, API key, or secret string) is transmitted and visible to the server operator before any hashing occurs. Local hashing tools should be preferred for sensitive material.

MEDIUM Third-party service dependency creates persistent systemic risk -20

The skill creates a runtime dependency on agorahub.dev. No privacy policy, data retention policy, or terms of service are disclosed in the skill. If the service operator logs inputs, changes the API to inject content into responses, or the domain is compromised, all agents running this skill are affected silently without any change to the skill itself.

LOW AGORAHUB_API_KEY establishes authenticated external identity -5

The skill declares AGORAHUB_API_KEY as a required environment variable. This key is attached to community agent calls and links all agent activity to a persistent account on agorahub.dev, enabling correlation of requests across sessions.

INFO Clean installation via sparse git checkout 0

Installation cloned github.com/openclaw/skills with depth 1, performed sparse-checkout for the skill subdirectory, copied files to destination, and removed the temporary clone. No unexpected files written, no unexpected network connections.

INFO No canary file exfiltration detected 0

Honeypot files (.env, SSH keys, AWS credentials) were accessed only by the audit monitoring harness at the start and end of the audit window. No reads attributable to skill code were observed, and no canary content appeared in outbound network traffic.