Is divine-comedian/myosin-hivemind safe?

https://github.com/openclaw/skills/tree/main/skills/divine-comedian/myosin-hivemind

77
CAUTION

This skill appears to be a legitimate Web3 marketing knowledge base search tool, but contains a critical auditing gap where the main executable script cannot be inspected. While no active malicious behavior was observed during installation, the inability to audit the core functionality presents significant security concerns.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

HIGH Unauditable executable code -60

The skill contains an executable JavaScript file (hivemind-search.mjs) that was not included in the source code audit dump, making it impossible to verify its safety or intended behavior.

MEDIUM Environment file access -30

The skill accesses environment configuration files to retrieve API keys. While this is documented behavior for its legitimate function, it poses a risk if sensitive environment variables are accessible.

LOW External API response risk -5

The skill retrieves content from an external API which could potentially contain malicious instructions if the API is compromised, though no direct evidence of this risk is present.

LOW Third-party API dependency -25

The skill's functionality depends entirely on a third-party API service, creating potential security and availability risks if that service becomes malicious or compromised.