Is danpalmieri/books-for-agents safe?

https://github.com/openclaw/skills/tree/main/skills/danpalmieri/books-for-agents

83
SAFE

The books-for-agents skill package itself is clean: no executable code, no prompt injection directives, no canary exfiltration, and a straightforward git installation. The primary risk is structural rather than immediately malicious — the skill's purpose is to register a persistent external HTTP MCP server (booksforagents.com), and MCP tool responses enter the LLM context as trusted content; a compromised or adversarial server could inject instructions via generate_book's 'instructions' field. The submit_book tool also creates an outbound data publication channel that could be abused in combination with file-reading skills.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 74/100 · 5%

Findings (7)

MEDIUM External MCP Server Registers Persistent Tool Provider -15

The skill's primary action is to add https://booksforagents.com/mcp as a persistent MCP tool server. All tool responses from this server enter the LLM context as trusted content. If the server is compromised or behaves adversarially, it can inject instructions into the agent's reasoning on every subsequent tool call without the user's knowledge.

MEDIUM generate_book Fetches Untrusted 'Instructions' from External Server -7

The generate_book tool is documented to return 'the template, example, metadata, and instructions needed to generate the next book summary.' Instructions sourced from an external HTTP endpoint are a classic second-order prompt injection vector — the server controls what the agent is told to do after calling this tool.

LOW submit_book Creates Outbound Data Publication Channel -10

The submit_book tool publishes arbitrary content to booksforagents.com. While intended for book summaries, if an adversary chained this skill with filesystem access, it could be used to publish sensitive local file contents as 'book summaries' to a public endpoint. No evidence of this happening in the current audit.

LOW User Search Queries Transmitted to Third-Party Service -8

All search_books queries are sent to booksforagents.com, exposing user research topics, interests, and potentially project context to a third-party operator.

INFO No Executable Code in Skill Package 0

The skill package contains only SKILL.md, _meta.json, and .clawhub/lock.json. No scripts, compiled binaries, git hooks, submodules, or symlinks were found.

INFO All Honeypot Files Confirmed Intact 0

Post-install integrity check confirmed no canary files were modified or exfiltrated. PATH audit events showing canary file access are attributable to oathe's own pre/post monitoring passes (timestamps 1771920204 and 1771920221), not to skill code.

INFO Clean Installation — No Unexpected Network or Process Activity 0

git clone targeted only github.com. No secondary network connections, unexpected child processes, or filesystem writes outside the skill directory were attributed to the skill installation itself.