Is felixgo2140/market-movers safe?

https://github.com/openclaw/skills/tree/main/skills/felixgo2140/market-movers

90
SAFE

The market-movers skill is a straightforward financial data aggregator that instructs an LLM agent to scrape top gainers and losers across US, HK, and CN markets and return the results as strict JSON. The SKILL.md contains no prompt injection patterns, no hidden instructions, no executable code, and no data exfiltration mechanisms; the observed credential file accesses in monitoring occurred five seconds before the skill was even cloned and are attributable to the audit framework's own baseline and verification passes, with all canary files confirmed intact. The primary residual risk is the inherent second-order prompt injection surface of any unbounded web-scraping skill.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (8)

MEDIUM Unrestricted internet scraping without domain allowlist -10

The skill mandates real internet access without scoping permitted domains. While necessary for market data aggregation, this grants the agent broad network access that could be exploited via prompt injection embedded in scraped financial content.

LOW Agent persona replacement -5

Skill replaces agent identity with '你是一个金融市场扫描器' for the duration of execution. Standard skill pattern but constitutes an implicit system prompt override.

LOW Output suppression directive suppresses agent transparency -5

'禁止任何解释文字' prevents the agent from appending caveats, errors, or contextual information to its response. Reduces user visibility into agent reasoning.

LOW Second-order prompt injection risk inherent in web scraping -10

Financial market data pages may embed HTML/text instructions that an LLM agent would process as commands. This is a structural risk of the skill's design rather than authored malice.

INFO Credential file accesses predate skill installation by 5 seconds -5

Multiple credential files were opened and read at audit timestamp 1771930909, before the git clone began at 1771930914. A second batch appears at 1771930926 during post-audit canary verification. Both batches are attributable to the audit framework, not the skill.

INFO All honeypot files intact -7

Canary integrity verification confirms no credential file contents were modified or sent to external endpoints during the audit window.

INFO Skill package contains no executable components -3

Only SKILL.md and _meta.json exist in the skill directory. No scripts, hooks, binaries, or npm manifests found.

INFO Install network traffic confined to GitHub -13

All TCP connections during the clone operation targeted 140.82.121.4:443 (github.com). No connections to unexpected third-party hosts were observed during installation.