Is finnbusse/webuntis safe?

https://github.com/openclaw/skills/tree/main/skills/finnbusse/webuntis

98
SAFE

This is a legitimate WebUntis timetable integration skill that provides read-only access to student schedules. The skill follows security best practices by using environment variables for credentials and avoiding password input in chat. No malicious behavior or significant security risks were detected.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

LOW System processes accessed canary files -5

During execution, system processes accessed honeypot credential files, though this appears to be normal PAM/NSS behavior rather than skill-initiated access

INFO Requires external service credentials -10

The skill requires WebUntis credentials to be provided via environment variables for legitimate functionality