Is dimitriharding/content3 safe?

https://github.com/openclaw/skills/tree/main/skills/dimitriharding/content3

93
SAFE

The content3 skill is a well-structured API documentation wrapper for the Content3 video-and-social-media platform. No prompt injection, hidden instructions, obfuscation, or exfiltration attempts were detected in SKILL.md, and the install process performed only an expected sparse git clone from GitHub with no filesystem side effects or suspicious network activity. The primary risks are operational rather than malicious: the skill enables an agent to autonomously publish to linked social media accounts without per-post confirmation, and share links grant unauthenticated external parties the ability to modify review status — both are features of the Content3 service design that users should be aware of before granting agents access to their credentials.

Category Scores

Prompt Injection 94/100 · 30%
Data Exfiltration 91/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 73/100 · 5%

Findings (6)

MEDIUM Autonomous social media publishing without per-post confirmation -15

The skill's documented workflow instructs the agent to POST /social/drafts/{draftId}/publish to enqueue content for publishing to all connected social platforms. An agent following this workflow autonomously could publish user content without an explicit confirmation step at publish time, especially in batch workflows. This is a design feature of Content3, not a malicious insertion, but warrants user awareness.

MEDIUM Share links allow unauthenticated external review status changes -12

The skill documents creating public share links for reviews (POST /reviews/{id}/share) that let anyone with the link view content, change the review status (approve/reject), and comment without a Content3 account. If these links are sent to untrusted parties or exposed inadvertently, the review pipeline can be manipulated externally.

LOW API key read from plaintext file for every request -9

The skill instructs agents to use C3_KEY=$(cat ~/.config/content3/api_key) and embed it in Authorization Bearer headers. While targeting the legitimate api.content3.app endpoint, the key is read from disk on each invocation. If the agent is manipulated by a prompt injection from external content (e.g., a Reddit post source), the API key value in the shell environment could potentially be referenced in a crafted payload. Risk is low given the hardcoded endpoint.

LOW Canary files read at two audit timestamps -7

Kernel audit records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened at 1771913801.706 (session init) and again at 1771913818.826 (post-install). Timing and audit sequence numbers correlate with the openclaw-gateway audit process (pid=1088) running baseline canary checks. No modification or exfiltration detected. Noted for completeness.

LOW Full-access wildcard scope documented without least-privilege guidance -6

The scopes reference table documents * (full access to all scopes) as a valid API key scope without advising agents or users to prefer minimal-privilege scopes. An agent setting up or requesting a new API key might inadvertently request or accept a wildcard-scoped key, granting broader permissions than necessary.

INFO Shell examples are documentation, not executable scripts 0

SKILL.md contains numerous bash/curl code blocks illustrating API usage. These are documentation examples for the agent to follow, not auto-executing scripts. No npm scripts, git hooks, submodules, or binary payloads were found. The install produced only SKILL.md, _meta.json, and .clawhub/lock.json.