Is edibez/priceforagent safe?

https://github.com/openclaw/skills/tree/main/skills/edibez/priceforagent

88
SAFE

The priceforagent skill is a documentation-only skill with no executable code, consisting solely of SKILL.md and _meta.json. Installation was clean: no unexpected network connections, no canary file compromise, no prompt injection text, and no code execution of any kind. The concerns are operational rather than malicious — the skill routes all queries including natural language requests through an unaudited third-party service (p4ai.bitharga.com) with no disclosed privacy policy, and requires agent ID registration that enables cross-session tracking by the service operator.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM Natural Language Queries Transmitted to Unaudited Third-Party Server -15

The /v1/query endpoint accepts full natural language strings and sends them to p4ai.bitharga.com. When an agent uses this mode, the query string — which could include user context, portfolio details, or conversational fragments — is transmitted to an external server with no disclosed privacy policy or data retention limits. The operator of p4ai.bitharga.com receives and logs all queries.

LOW Agent Registration Creates Persistent External Identity Fingerprint -7

The skill requires the agent to POST an agent_id to /v1/register before making any queries. This registration ties a persistent identifier to all subsequent API usage, allowing the service operator to track request patterns across sessions and correlate activity to specific agent deployments.

LOW External API Responses Are a Secondary Prompt Injection Surface -10

All price data consumed by the agent originates from p4ai.bitharga.com. If the service operator is malicious or the service is compromised, JSON responses could embed prompt injection payloads. This is not a vulnerability in SKILL.md itself but an inherent risk of routing agent context through any unaudited external API.

LOW No Privacy Policy or Data Handling Disclosure -18

SKILL.md contains no reference to a privacy policy, terms of service, or data retention practices for p4ai.bitharga.com. Server-side logging is confirmed by the 'Global limit: 10 million calls' rate limit counter and the dedicated /v1/usage endpoint, indicating all API calls are tracked and persisted by the service operator.

INFO No Executable Code Present — Clean Documentation-Only Skill 0

The skill consists exclusively of SKILL.md and _meta.json. No JavaScript, Python, shell scripts, Makefiles, Dockerfiles, git hooks, submodules, or symlinks were found. The install was a sparse git checkout with no code execution of any kind.

INFO No Unexpected Network Connections During Install 0

The only outbound connection during skill installation was to GitHub (140.82.121.3:443) for the git sparse checkout, which is fully expected. Pre-existing Ubuntu infrastructure connections to 91.189.91.49 and 185.125.188.54 are system-level and unrelated to the skill. No connection to p4ai.bitharga.com was initiated at install time.

INFO All Canary Files Intact — No Exfiltration Detected 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were not modified. Read events visible in auditd PATH records at timestamps 1771921432 (pre-install) and 1771921450 (post-install) correspond to the audit harness's own baseline and integrity verification passes, not to skill code execution — confirmed by the skill having zero executable code.