Is eashish93/kitful safe?

https://github.com/openclaw/skills/tree/main/skills/eashish93/kitful

90
SAFE

The eashish93/kitful skill is a well-structured, commercially legitimate wrapper around the Kitful.ai article generation API with no prompt injection, no executable code, no exfiltration directives, and clean installation behavior. Its only material risk factors are inherent to its function: user topic and context data is transmitted to the Kitful.ai third-party service on every invocation, and the 15-minute status polling loop may consume agent context for extended periods. Observed sensitive file reads during the audit are attributable to the audit harness's own SSH session management, not the skill.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW User conversation context transmitted to third-party Kitful.ai API -8

The skill extracts the user's topic, contextual framing, language preference, promotional mode, and brand URL from the conversation and POSTs them to https://kitful.ai/api/v1/articles/generate. This is the skill's core function but users should be aware that conversation content leaves the local agent environment on every invocation.

LOW API credential transmitted to external service on every call -5

The KITFUL_API_KEY is included as a Bearer token in Authorization headers for both the generate POST and every status poll GET. This is standard OAuth/API-key usage but means the credential is transmitted to kitful.ai on every agent invocation of this skill, including during the 15-minute polling phase (up to 90 requests per article).

LOW Polling loop may occupy agent context for up to 15 minutes per article -10

The skill instructs the agent to poll an external status endpoint every 10 seconds for a maximum of 90 attempts before timing out. This means a single article generation can block the agent in a polling loop for up to 15 minutes. In batch mode with multiple topics, this duration multiplies. No mechanism exists in the skill to allow the user to cancel mid-poll.

INFO Explicit response sanitization instructions reduce injection surface (positive finding) 0

The skill proactively instructs the agent to display error messages as plain text only, never as markdown or HTML, and to silently ignore all unexpected fields in API responses. This is a well-designed defensive measure that limits the ability of a compromised or malicious Kitful.ai backend to inject instructions into the agent via crafted API responses.

INFO Sensitive file reads during audit attributed to audit harness SSH infrastructure 0

Audit logs captured two sets of access events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials — one at 07:00:37 (before clone, concurrent with audit harness ss -tunap and initial SSH establishment) and one at 07:01:00 (after skill read, concurrent with repeated sshd session teardown/setup cycles). Both sets are consistent with sshd reading user environment and authorized_keys as part of normal session management by the audit harness itself. No corresponding outbound data transmission to unexpected endpoints was detected. Canary integrity confirmed intact.