Is devarogundade/flowfi safe?

https://github.com/openclaw/skills/tree/main/skills/devarogundade/flowfi

92
SAFE

The flowfi skill is clean, well-structured REST API documentation for the FlowFi workflow automation platform containing no executable code, prompt injection directives, hidden instructions, or active data exfiltration mechanisms. Install behavior was limited to a standard sparse git clone from the openclaw/skills monorepo on GitHub with no unexpected network destinations, and all canary honeypot files remain intact. The primary operational consideration is that agents using this skill will transmit user JWT tokens to the third-party endpoint https://api.seimoney.link and have documented access to irreversible destructive operations such as workflow deletion and execution cancellation, which is inherent to any API integration skill of this type.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 87/100 · 5%

Findings (5)

MEDIUM User JWT Tokens Routed to Third-Party Endpoint -15

The skill instructs agents to send user-provided JWT tokens in Authorization: Bearer headers to https://api.seimoney.link for all protected API operations. This is architecturally expected for an API integration skill, but the domain (seimoney.link) is not obviously tied to a well-known brand. Users whose tokens are in agent context will have them transmitted to this host when the agent executes any protected endpoint.

LOW Destructive and Irreversible API Operations Documented Without Guardrails -13

The skill documents DELETE /workflows/:id (permanent removal of any-status workflow) and DELETE /executions/:id/cancel without suggesting confirmation steps. An agent responding to vague user instructions ('clean up my workflows', 'stop everything') could invoke these irreversible operations.

LOW Hardcoded External API Endpoint in Skill Content -8

The skill embeds https://api.seimoney.link as the canonical API base URL. Agents injecting this skill into their system prompt will make outbound HTTPS connections to this domain during normal operation. The domain is not associated with a widely recognized brand, creating ambiguity about its legitimacy and persistence.

INFO Lock File References Unrelated Skill Dependency -7

.clawhub/lock.json records a previously installed 'academic-research-hub' skill (v0.1.0, installedAt 1770957475341). This is benign metadata but is unexpected in a FlowFi API skill package and indicates the lock file reflects the developer's broader workspace rather than being scoped to this skill.

INFO Canary Files Accessed Post-Install by Audit Framework -5

Auditd PATH records at timestamp 1771921158 (after install) show all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) accessed in rapid succession. The pattern — all files in one burst, matching the identical burst at audit start (1771921141) — is consistent with the audit framework's own baseline verification probe rather than skill-driven access. Canary integrity monitor confirms no content was modified or exfiltrated.