Is collierking/chartclass safe?

https://github.com/openclaw/skills/tree/main/skills/collierking/chartclass

98
SAFE

ChartClass is a documentation-only skill consisting of SKILL.md and _meta.json with no executable code, no npm scripts, no git hooks, and no submodules. Installation involved only a standard GitHub sparse-checkout clone with no unexpected network destinations or filesystem side effects. Sensitive file accesses observed in monitoring logs are timing-confirmed to belong to the oathe audit framework's own canary setup and verification routines, not to the skill itself, and all canary files remain intact.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 93/100 · 5%

Findings (4)

INFO External API calls expected at runtime -5

The skill declares CHARTCLASS_API_KEY as a required environment variable, meaning an active agent will make outbound API calls to the ChartClass service when handling user requests. This is disclosed behavior, not hidden exfiltration.

INFO Single legitimate GitHub connection during install -3

The only external network connection during installation was to 140.82.121.3:443 (GitHub), the expected destination for the sparse-checkout clone. The pre-existing connection to 185.125.188.58:443 (Canonical/Ubuntu) was present in the BEFORE snapshot and is unrelated to the skill.

INFO Sensitive file accesses attributable to audit framework 0

inotify and auditd records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. Timestamp analysis confirms these occur before the install begins (1771931799.329 vs install start at 1771931804.824) and again post-install during canary verification (1771931828.428). The skill contains no executable code and cannot trigger filesystem access. All canary files remain intact and unmodified.

LOW User query data relayed to third-party ChartClass service -7

When the skill is active, ticker symbols and analysis parameters entered by the user will be transmitted to the ChartClass API. This is a disclosed and expected function of the skill, but users should understand their financial queries are processed by a third-party service.