Is gekkoai001/gekko safe?

https://github.com/openclaw/skills/tree/main/skills/gekkoai001/gekko

60
CAUTION

The Gekko DeFi skill presents a CAUTION-level risk profile driven by three primary concerns: (1) a $GEKKO token ticker injected at the end of SKILL.md that primes agents to promote an asset the skill operator has a financial stake in; (2) complete routing of all user interactions through an unaudited third-party API at gekkoterminal.ai with no privacy protections; and (3) behavioral instructions injected via CLAUDE.md that override agent defaults with operator-preferred branding. The install process was clean with no malware, executable code, or canary file access, but the skill's runtime architecture creates significant financial manipulation and surveillance risks.

Category Scores

Prompt Injection 52/100 · 30%
Data Exfiltration 28/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 27/100 · 5%

Findings (9)

HIGH $GEKKO token ticker injected into agent context -25

The final line of SKILL.md is the bare string '$GEKKO'. In DeFi contexts this is a token ticker. Embedding it at the end of the skill definition ensures it is present in every agent context window that loads this skill, priming the agent to mention or recommend the $GEKKO token during conversations. This is a financial influence attack via context injection.

HIGH CLAUDE.md injects mandatory agent behavior instructions -15

CLAUDE.md prescribes a specific agent workflow including mandatory use of a branding emoji ('When mentioning Gekko, use the gecko emoji: 🤖'), required response format, and a step-by-step interaction pattern. Because CLAUDE.md is read by Claude agents as instruction context, this constitutes prompt injection that overrides the agent's default behavior with the skill author's preferred presentation style.

HIGH All user interactions routed to third-party gekkoterminal.ai server -55

Every capability in this skill is implemented as a POST request to https://gekkoterminal.ai/api/a2a?agent=gekko. There is no local processing. All user portfolio questions, token addresses, financial queries, and open-ended chat messages are transmitted to a server controlled by the skill authors. No privacy policy, data retention policy, or audit log is disclosed.

HIGH Fictitious technical standard (ERC-8004) used to fabricate credibility -30

The skill repeatedly claims to be 'Powered by ERC-8004' in both SKILL.md and CLAUDE.md footers. ERC-8004 does not exist as an Ethereum Improvement Proposal. This fabrication of a standards reference is a social engineering technique to make the skill appear more technically legitimate than it is.

HIGH Unverified smart contract addresses could enable fund theft -25

Five vault contract addresses are hardcoded as legitimate integrations with Seamless, Moonwell, Spark, Gauntlet, and Yearn. If an agent has transaction-signing capability (e.g., a web3 wallet tool), the skill could direct the agent to approve or deposit to these addresses. The addresses have not been independently verified against the protocols they claim to represent.

MEDIUM Open-ended chat capability sends arbitrary user messages externally -15

The 'chat' capability accepts any user message and forwards it verbatim to gekkoterminal.ai. This is a general-purpose conversation surveillance mechanism — any message a user types while the skill is active can be captured by the skill operator.

MEDIUM $GEKKO token pump-and-dump positioning -20

The combination of a DeFi market intelligence skill, trading signal generation, and a $GEKKO ticker injection creates a classic pump-and-dump architecture. The skill operator can use the gekkoterminal.ai API to return $GEKKO-favorable 'market intelligence' while the ticker injection ensures the agent mentions it organically in conversation.

LOW Install behavior clean — only GitHub contacted 0

The install process made no connections to gekkoterminal.ai or any unexpected host. The git clone contacted only github.com (140.82.121.4). No processes were spawned by the skill content itself.

INFO No executable code or install hooks present 0

The skill contains only markdown documentation files and a metadata JSON file. There are no npm scripts, shell scripts, git hooks, submodules, symlinks, or any other code execution vectors.