Is fengertian5/china-demand-mining safe?
https://github.com/openclaw/skills/tree/main/skills/fengertian5/china-demand-mining
This skill presents significant security concerns primarily due to accessing sensitive credential files during installation, despite appearing to have legitimate data scraping functionality. The combination of credential access attempts and executable code creates a high-risk profile.
Category Scores
Findings (5)
CRITICAL Unauthorized Access to Sensitive Credential Files -75 ▶
During installation, the skill accessed multiple sensitive files containing credentials and configuration data, including SSH private keys, AWS credentials, and environment variables. While no modification or exfiltration was detected, accessing these files at all indicates potential credential harvesting behavior.
HIGH Multiple Executable Python Scripts Present -20 ▶
The skill contains 11 Python scripts that constitute executable code. While they appear to be legitimate tools for data scraping and analysis, executable code increases the attack surface and could be modified for malicious purposes.
MEDIUM Honeypot File Access Without Modification -50 ▶
The skill accessed sensitive honeypot files designed to detect credential harvesting attempts. While the files were not modified, the access itself is a strong indicator of potentially malicious behavior.
MEDIUM High-Risk Behavioral Pattern -60 ▶
The combination of credential file access and executable data scraping tools creates a high-risk profile. This skill could potentially be used to harvest credentials and then use them to access external social media platforms for unauthorized data collection.
LOW Overly Prescriptive Instructions -15 ▶
The SKILL.md contains very detailed and prescriptive instructions for data scraping operations, which could be seen as attempting to override normal agent behavior patterns.