Is darthdens/echo-ai safe?

https://github.com/openclaw/skills/tree/main/skills/darthdens/echo-ai

87
SAFE

The echo-ai skill is a legitimate API integration with no malicious code, no unauthorized credential access, and a clean installation. The primary security considerations are inherent to its design: user conversation data is transmitted to a third-party commercial platform (echoai.so), and Echo AI assistant responses enter the agent's context without sanitization, creating an indirect prompt injection surface if a malicious Echo owner crafts adversarial responses. The skill includes appropriate user confirmation gates for credit-consuming operations.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM User conversation content transmitted to third-party echoai.so -15

Every chat interaction the agent facilitates results in user message content, session identifiers, and visitor identifiers being transmitted to auth.echoai.so. Users may not realize their agent conversations with this skill active are being processed and stored by a commercial third party. The skill does not disclose data retention or privacy terms within the SKILL.md.

LOW Echo AI response content enters agent context without sanitization -10

Chat responses from Echo AI assistants (controlled by arbitrary third-party businesses and creators) are inserted directly into the agent's reasoning context. A malicious Echo owner could craft responses containing adversarial instructions targeting the agent's behavior.

LOW Third-party platform as single point of trust failure -10

The skill establishes a permanent trust relationship with echoai.so. Compromise of that platform, change in ownership, or policy change would immediately affect all agents using this skill, potentially redirecting API keys, injecting adversarial content, or exfiltrating conversation history.

LOW ECHO_API_KEY credential transmitted to third-party in every request -5

The API key is sent as a plaintext HTTP header on all requests. Workspace-scoped keys provide access to all assistants under the owner's account. Exposure of this key through logging, MITM, or platform breach grants full access to the user's Echo AI workspace.

INFO Skill is pure Markdown with no executable artifacts 0

No executable code, install scripts, git hooks, submodules, or symlinks were found. The install was clean and limited to documentation files. The skill operates entirely through agent-initiated HTTP calls at runtime.

INFO All honeypot files intact; credential accesses predate install 0

Observed accesses to .env, .ssh/id_rsa, .aws/credentials, and cloud credential files occurred before the git clone began and again after install as part of canary verification. No exfiltration pathway was detected. The monitoring system confirmed all canary files were unmodified.