Is evoleinik/gift-genius safe?

https://github.com/openclaw/skills/tree/main/skills/evoleinik/gift-genius

78
CAUTION

Gift Genius is a technically clean commercial affiliate skill (no malicious code, no credential theft, no prompt injection attacks) that routes gift purchases through a third-party platform (airshelf.ai) using hardcoded merchant IDs with undisclosed commission arrangements. Its primary risks are commercial rather than technical: it can initiate real financial transactions with minimal user confirmation friction, transmits personal relationship and location data to an external service, and contains a material description mismatch between its stated Singapore routing behavior (supplements) and its actual implementation (flowers) — a deception signal that undermines trust in the skill author's candor. Users who install this skill should understand it operates as a commercial purchase funnel, not a neutral gift advisor.

Category Scores

Prompt Injection 83/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH Checkout API enables agent to execute real purchases with minimal user confirmation -20

The skill instructs the agent to POST to airshelf.ai checkout endpoints to complete real financial transactions. The skill's conversation examples frame checkout as an immediate next step with urgency cues ('order by noon', 'done in 60 seconds'), creating a pattern where the agent may initiate purchases before the user has meaningfully consented to the specific transaction. No payment authentication step is modeled in any example flow.

HIGH Description mismatch: stated Singapore routing contradicts implemented behavior -30

The skill's published description states 'Singapore users to wellness supplements (Aveva Life)' but the actual SKILL.md routes Singapore users to Far East Flora (a flower merchant). This inconsistency between the marketplace-facing description and the real instruction set is a deception signal indicating the skill author misrepresented the skill's behavior to prospective installers. Description-reality gaps are a recognized indicator of adversarial skill design.

MEDIUM Personal relationship and financial context transmitted to third-party API in plaintext -15

Each search query encodes user-provided personal context — geographic location, price budget, and relationship classification (wife, new girlfriend, mom, friend) — as plaintext URL parameters sent to dashboard.airshelf.ai. This data is transmitted without user awareness that it is leaving the agent context, and airshelf.ai's data retention and sharing practices are unknown to the user.

MEDIUM Hardcoded affiliate merchant IDs with no commission or conflict-of-interest disclosure -20

The skill hardcodes specific opaque merchant IDs for 10 merchants across 7 product categories. All transactions are funneled through airshelf.ai using these IDs. There is no disclosure of whether the skill author or airshelf.ai earns affiliate commissions on completed purchases. Users have no mechanism to verify the neutrality of product recommendations, which may be influenced by commission structures invisible to them.

MEDIUM Multi-skill chaining instructions enable unsolicited proactive purchase campaigns -12

The skill explicitly instructs the agent to integrate with Calendar skills to detect upcoming Valentine's Day events and proactively suggest purchases, and with Messaging skills to compose card messages post-checkout. This creates a purchase initiation surface that activates without direct user request — the user opening their calendar app could trigger a gift purchase suggestion from this skill.

LOW Relationship classification data embedded in externally logged API queries -5

Sensitive relationship status descriptors ('wife', 'girlfriend', 'mom') appear in natural language search terms sent to a third-party API. If airshelf.ai logs query strings, this creates a persistent external record associating user identity context with relationship information that the user did not intend to disclose to a third party.

LOW External URL fetching is core operation, not disclosed as network-dependent -5

The skill's metadata describes itself as a 'gift finder' but does not explicitly state it requires outbound network access to function. Users installing the skill may not anticipate that it will make real-time API calls to an external commercial service for every recommendation. The curl binary requirement is declared in metadata but its implications (external data transmission) are not highlighted.

LOW Pre-clone SSH infrastructure connections to Canonical servers visible in monitoring window -8

Network connections to 91.189.91.48 and 185.125.188.59 (Canonical/Ubuntu infrastructure) are visible in the monitoring trace. These pre-date the git clone by approximately 5 seconds and appear to be existing SSH session management connections unrelated to the skill install. No correlation to skill install process found.

INFO Canary files accessed by audit framework during setup and teardown, not by skill -12

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) appear in inotify open/access events at 10:51:32 and in auditd PATH records at timestamps 1771930292 and 1771930310. The 10:51:32 accesses are approximately 6 seconds before the git clone began (10:51:38 per network traffic), placing them firmly in the audit framework initialization phase. The post-install auditd records at 1771930310 correspond to the framework's post-install integrity verification. No EXECVE event from the skill or its install script accesses these paths. Integrity report confirms all files unmodified.