Is eliaskress/popup-organizer safe?
https://github.com/openclaw/skills/tree/main/skills/eliaskress/popup-organizer
PopUp Organizer is a clean, markdown-only API documentation skill for the usepopup.com vendor marketplace with no prompt injection, no executable code, no suspicious install behavior, and fully intact canary files. Sensitive file accesses observed in monitoring are attributable to the oathe audit infrastructure's initialization and post-install scanning phases, not to the skill itself. The principal risks are inherent to any write-capable API integration — actions like accepting quotes, canceling events, and sending vendor inquiries carry real-world consequences and financial implications that require appropriate agent confirmation guardrails at the platform level.
Category Scores
Findings (6)
LOW Irreversible write operations with real-world vendor notifications -12 ▶
Several API endpoints trigger binding side effects: creating inquiries sends vendor email and in-app notifications; accepting a quote commits the organizer to a booking arrangement; canceling an event notifies all pending and accepted vendors. An agent acting on an ambiguous user request could initiate financial commitments or damage vendor relationships without explicit user confirmation.
LOW Financial transaction exposure via invoice and quote endpoints -8 ▶
The skill surfaces invoice amounts, payment direction (receivable/payable), and payment status, and can accept vendor quotes which establish pricing commitments. This is expected functionality but represents a meaningful financial risk surface if the agent acts without user confirmation.
LOW Third-party data transmission inherent to skill function -10 ▶
All event details, inquiry content, vendor selections, and profile data entered by the agent are transmitted to usepopup.com. This is fully expected for an API integration skill but users should be aware that any sensitive context the agent includes in event descriptions or inquiry messages will be sent to this third-party service.
INFO Canary file reads attributed to audit infrastructure, not skill 0 ▶
Inotify and auditd PATH records show sensitive files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at 10:21:41 (audit serials 265-270) — 6 seconds before the git clone started at 10:21:47. These accesses are associated with the sudo/monitoring initialization process. A second batch (serials 1423-1428) occurs during the oathe post-install scan phase. The skill contains no executable code and cannot independently trigger file reads.
INFO No executable code — markdown-only skill 0 ▶
The skill repository contains only three files: SKILL.md (API documentation), README.md (publisher instructions), and _meta.json (metadata). No scripts, compiled artifacts, build hooks, or dependency manifests are present. The README references npx clawhub publish commands intended for the skill author's publishing workflow, not injected into agent context.
INFO Clean SKILL.md with no injection patterns 0 ▶
Full review of SKILL.md reveals straightforward REST API documentation with no override directives, persona changes, hidden instructions, or attempts to manipulate agent behavior beyond its declared purpose of vendor search and booking management.