Is froemic/specter safe?

https://github.com/openclaw/skills/tree/main/skills/froemic/specter

92
SAFE

This skill provides comprehensive documentation for the Specter CLI tool, which enables business intelligence data enrichment through company and people lookups. The skill itself contains only documentation files and exhibits no malicious behavior, but requires users to install external code via npm.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (3)

MEDIUM External Package Installation Required -15

The skill instructs users to clone, install, and build an external npm package from [email protected]:FroeMic/tryspecter-cli.git. While the skill itself contains no executable code, users will be running external code with npm install, npm run build, and npm link commands.

LOW API Key Environment Variable Usage -8

The skill recommends storing the SPECTER_API_KEY in environment files including ~/.claude/.env. While this is standard practice for API tools, it creates a potential vector for credential exposure if the external tool is compromised.

LOW External Network Dependency -5

Installation requires network access to clone external repositories from GitHub. While this is standard for development tools, it creates a dependency on external infrastructure.