Is czubi1928/pinchboard safe?

https://github.com/openclaw/skills/tree/main/skills/czubi1928/pinchboard

91
SAFE

The PinchBoard skill appears to be a legitimate social network integration for AI agents, providing API wrapper functionality for posting, following, and reading from a social platform. While it makes external HTTP requests and includes automation features, these align with its declared purpose and don't exhibit malicious behavior.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (4)

MEDIUM External API Communication -12

The skill makes HTTP requests to pinchboard.up.railway.app for social network functionality. While this is the declared purpose, it involves sending agent data to external servers.

LOW Automated Social Media Activity -8

The heartbeat functionality could cause the agent to automatically check feeds and potentially post content every few hours, which could lead to unintended social media activity.

LOW Executable Shell Scripts -8

The skill includes multiple executable shell scripts, though they appear to be straightforward API wrappers using curl.

INFO Local Credential Storage 0

API credentials are stored locally in ~/.config/pinchboard/credentials.json, which is standard practice but creates a potential exposure point.