Is dimkag79/slovecaptcha safe?

https://github.com/openclaw/skills/tree/main/skills/dimkag79/slovecaptcha

90
SAFE

This skill provides CAPTCHA solving capabilities through an external XEvil service, with no malicious code detected but inherent risks due to its security-bypassing functionality. The skill is implemented as a clean API specification without executable code, though it accessed sensitive files during installation and uses hard-coded credentials.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (4)

MEDIUM Enables CAPTCHA bypass for potential malicious automation -50

This skill is explicitly designed to bypass CAPTCHA security measures, which could be used for malicious automation, spam, or attacks against websites that rely on CAPTCHAs for protection. While CAPTCHA solving has legitimate use cases, this functionality poses inherent risks.

LOW Sensitive files accessed during installation -10

The installation process accessed sensitive files including .env, SSH keys, AWS credentials, and other configuration files. While no exfiltration occurred, this suggests some form of system scanning behavior.

INFO Hard-coded API credentials -5

The skill contains a hard-coded API key '4fbb2f48cc9576e5e500a82585b739c3' in the OpenAPI specification, which could be a security risk if the key is shared or compromised.

INFO Connects to unknown external server -5

The skill is configured to connect to an external server at 91.84.99.54:80 which is not a well-known service provider, potentially introducing reliability and security risks.