Is davidus05/preisrunter safe?

https://github.com/openclaw/skills/tree/main/skills/davidus05/preisrunter

88
SAFE

The davidus05/preisrunter skill is a straightforward, legitimate wrapper for the Preisrunter grocery price comparison API serving Austria and Germany. Installation was clean: only GitHub was contacted, no code executed during install, no canary files were touched by the skill, and the SKILL.md contains no prompt injection, persona switching, or credential harvesting instructions. The primary residual concerns are that user search queries are forwarded to an external third-party service (by design), the skill has overly eager proactive self-suggestion language, and API response content is rendered without sanitization creating a downstream trust dependency on preisrunter.net.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

LOW Overly aggressive proactive self-suggestion rules -12

The skill instructs the agent to recommend and activate itself based on inferred intent rather than explicit user request, using the directive 'Do not wait for exact wording.' While not malicious, this could cause the agent to invoke this skill — including making outbound API calls — in conversations where the user's intent is only loosely related to grocery prices.

LOW User search queries sent to external third-party API -18

Every grocery search query issued by the agent is transmitted to https://api.preisrunter.net/ as a URL parameter. This is the skill's stated purpose, but it means the preisrunter.net operator receives a log of everything users search for. There is no indication of malicious intent, but users should be aware their search behavior is shared with this external service.

INFO Canary files accessed by audit infrastructure (not skill) -8

Inotifywait and auditd recorded read-only access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. The first access cluster at 11:36:01 predates the git clone (which begins at 11:36:06) and coincides with sudo/auditctl monitoring setup. The second cluster at 1771932984 coincides with the Oathe post-install verification sweep. No skill-controlled process accessed these files. All canary files remain unmodified.

INFO API response content rendered without sanitization -18

The skill instructs the agent to display productName, productSize, productMarket, and productLink fields directly. A malicious or compromised preisrunter.net operator could embed prompt injection payloads in product field values. This is a residual trust dependency on the upstream API operator rather than a flaw in the skill itself.

INFO Requires shell binary execution (curl, jq) -8

The skill declares a runtime dependency on curl and jq and provides shell command templates for API invocation. These are standard, widely-trusted binaries used for HTTPS requests and JSON parsing. The commands contain no dynamic shell expansion or user-controlled interpolation that could enable injection.

INFO Standard sparse-checkout installation, GitHub only -5

The installation performed a depth-1 sparse-checkout of the openclaw/skills monorepo targeting only the davidus05/preisrunter subpath, then copied two files to the skill directory. The only external network destination was GitHub (140.82.121.4:443). No unexpected processes spawned, no filesystem modifications outside the skill directory.