Is crisanmm/dupe safe?

https://github.com/openclaw/skills/tree/main/skills/crisanmm/dupe

90
SAFE

The crisanmm/dupe skill is a legitimate first-party integration built by dupe.com that finds visually similar products via their public API. Static analysis of SKILL.md reveals no prompt injection, hidden instructions, credential harvesting, or malicious code — only standard curl API calls. Dynamic monitoring confirms a clean install with no unexpected processes, no sensitive file access by the skill, no persistent network connections, and all canary honeypots intact. The primary consideration is a privacy one: every product URL the user searches is transmitted to and logged by dupe.com's commercial infrastructure, and the response format includes a referral link that routes users back to dupe.com's website.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW User product URLs transmitted to third-party commercial API -10

Every invocation of this skill sends the user-provided product page URL or image URL to api.dupe.com. While this is the explicit and disclosed purpose of the skill, it means dupe.com receives a log of every product a user researches through the agent. Users should be aware that their shopping intent is shared with a commercial third party.

LOW Referral link construction leaks user URL to dupe.com web property -8

The response format instructs the agent to construct a link of the form 'https://dupe.com/' and display it to the user. This link, if clicked, routes the user through dupe.com's web property using the original product URL as a path/query parameter, functioning as a referral or tracking mechanism.

LOW User-supplied URL embedded directly in curl command without sanitization guidance -5

The skill instructs the agent to substitute the user-provided URL directly into the curl --data JSON payload. A user could supply a URL pointing to an internal network resource or a file:// URI, potentially causing the agent to issue SSRF-like requests if the agent's shell execution does not restrict curl's URL schemes.

INFO Mandatory ASCII art output branding -5

The skill unconditionally requires the agent to print a dupe.com ASCII art logo at the end of every response. While harmless, this is a branding control mechanism that forces a specific output format on every invocation.

INFO Canary file reads are attributable to audit framework, not skill -2

Inotifywait events show reads on .env, .ssh/id_rsa, .aws/credentials and other sensitive files at 03:45:05 — approximately 6 seconds before the git clone of the skill repository began. These are the Oathe audit framework's own canary setup and teardown reads. The skill itself triggered no sensitive file access.