Is garibong-labs/ipo-alert safe?

https://github.com/openclaw/skills/tree/main/skills/garibong-labs/ipo-alert

90
SAFE

This IPO alert skill appears to be a legitimate tool for monitoring Korean IPO schedules from 38.co.kr. The code is focused on its stated purpose with no obvious malicious behavior. The main security concerns are the use of subprocess with curl for external requests and dependency on external HTML content parsing.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM Subprocess usage with external URLs -25

The skill uses subprocess.run to execute curl commands with URLs from 38.co.kr. While the URLs are hardcoded and appear legitimate, this introduces potential command injection risks if the code is modified or if the external site is compromised.

LOW External HTML processing -10

The skill fetches and parses HTML content from external sources (38.co.kr). While this is the intended functionality, maliciously crafted HTML responses could potentially be used for attacks.

LOW External dependency risk -15

The skill's functionality depends entirely on an external website (38.co.kr) for data. If this site is compromised or starts serving malicious content, it could affect the skill's behavior.