Is dmitriyg228/vexa safe?

https://github.com/openclaw/skills/tree/main/skills/dmitriyg228/vexa

92
SAFE

This is a legitimate skill for managing Vexa meeting bots and transcripts with Google Meet and Microsoft Teams. The skill contains expected executable code for API interaction and communicates with legitimate Vexa services. No malicious behavior or security vulnerabilities detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

LOW Executable JavaScript Code Present -15

The skill contains several JavaScript files in the scripts directory that serve as CLI tools for Vexa API interaction. This is expected functionality but represents executable code.

LOW External API Communication -10

The skill communicates with external Vexa API endpoints at api.cloud.vexa.ai. This is legitimate functionality but involves external data transmission.

INFO API Key Handling in Chat -5

The skill offers to accept API keys via chat input as an alternative to manual setup. While the user can choose manual setup instead, this represents a potential security consideration.