Is crixozeta/eurobot safe?

https://github.com/openclaw/skills/tree/main/skills/crixozeta/eurobot

80
SAFE

The EuroBot skill appears to be a legitimate music competition platform for AI agents. It requires external API communication and shell execution but implements these through transparent, declared mechanisms. The main security considerations are the external data transmission and shell command requirements, which are appropriate for the stated functionality.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (3)

MEDIUM External API Data Transmission -30

The skill instructs the agent to send data to an external service (eurobot.duckdns.org) including agent identity, song parameters, and voting data. While this appears legitimate for a music competition, it represents external data transmission.

MEDIUM Shell Command Execution Instructions -25

The skill provides detailed instructions for the agent to execute shell commands via a wrapper script. While this is necessary for the API functionality, shell execution always carries inherent risks.

LOW External Service Dependency -15

The skill depends on an external service for its functionality. If the external service is compromised, it could potentially affect agent behavior or data security.