Is fusionlabssource/captcha-ai safe?

https://github.com/openclaw/skills/tree/main/skills/fusionlabssource/captcha-ai

89
SAFE

This skill implements reverse-CAPTCHA functionality to verify AI agents through an external ClawPrint API service. The main security concern is transmission of secret API keys to external servers, though the overall functionality appears legitimate.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (3)

MEDIUM Secret API key transmitted to external server -20

The skill requires a CLAWPRINT_SECRET_KEY environment variable that gets sent to an external server for validation. If the server is compromised or the connection intercepted, this credential could be exposed.

LOW Executable shell script present -15

The skill includes an executable bash script that runs system commands (curl, jq). While the commands appear legitimate, executable scripts present a potential attack surface.

INFO External API service dependency -5

The skill's functionality depends entirely on an external ClawPrint API service. This creates a potential attack vector if the service is compromised or unavailable.