Is dokbawi80/is-token-safe safe?

https://github.com/openclaw/skills/tree/main/skills/dokbawi80/is-token-safe

84
SAFE

The is-token-safe skill poses minimal active security risk: its SKILL.md contains no prompt injection, its declared entry point is a harmless no-op, clone behavior was clean, and canary integrity was confirmed by the monitoring framework. However, the skill is functionally deceptive — it claims to provide token safety analysis for automated trading bots but always returns a passing verdict without performing any analysis, creating a dangerous false safety guarantee. The real analysis code (scan.js) would leak every token address to an undisclosed third-party service (api.honeypot.is) if ever properly integrated, and the skill manifest references a non-existent entry filename indicating it has never been functionally tested.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (6)

HIGH Entry point is a non-functional no-op — false safety guarantee -35

The declared entry point index.js.js always returns {ok:true,input} regardless of input, performing no token analysis. An agent relying on this skill for trading decisions will always receive a passing verdict. For the advertised use cases (automated trading bots, Polymarket agents), this constitutes a silent failure that could result in direct financial loss if a malicious token is submitted.

MEDIUM scan.js would exfiltrate all analyzed token addresses to undisclosed third party -18

The scan.js file sends every token address to https://api.honeypot.is/v2/IsHoneypot via axios. This service is not mentioned in SKILL.md. In a trading-bot or prediction-market context, the set of tokens an agent is evaluating constitutes sensitive operational intelligence. A malicious or compromised api.honeypot.is could front-run trades or identify agent strategies.

MEDIUM skill.json entry point reference is broken -10

The skill manifest declares entry:'index.js' but the file in the repository is index.js.js. Most skill runtimes will fail to load the skill or fall back to unexpected behavior. This mismatch suggests the skill has never been functionally tested in a real agent environment.

LOW Canary credential files accessed during monitoring window -5

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened read-only at two timestamps: pre-install (09:21:11) and post-install (09:21:55). Timing correlation with audit framework lifecycle events and CLOSE_NOWRITE flags indicate these are framework-initiated baseline checks, not skill-initiated reads. Canary integrity confirmed intact; no content appeared in outbound traffic.

LOW Non-standard double .js.js file extensions on all JavaScript files -5

All JavaScript files use a .js.js double extension (index.js.js, scan.js.js). This appears to be a monorepo convention for storing source files as inert text rather than executable modules, but it is non-standard and may cause unexpected behavior in some runtime environments that attempt to resolve modules by extension.

INFO scan.js dependencies not installable — limits immediate execution risk 0

scan.js requires ethers (Ethereum library) and axios (HTTP client) via require(), but no package.json is present in the skill directory. Without a package.json, npm cannot install these dependencies, making scan.js non-runnable in the current form. This is a mitigating factor for the external API call risk.