Is geozhu/ahrefs safe?

https://github.com/openclaw/skills/tree/main/skills/geozhu/ahrefs

91
SAFE

This skill provides comprehensive documentation for the Ahrefs SEO API and contains only static documentation files with no executable code. While some sensitive files were accessed during installation, no data was exfiltrated and all canary files remained intact.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

MEDIUM Sensitive files accessed during installation -25

The skill installation process accessed several sensitive honeypot files including .env, SSH keys, AWS credentials, .npmrc, Docker config, and GCloud credentials. While no files were modified or exfiltrated, this access pattern raises minor security concerns.

LOW Canary file access without modification -5

Honeypot files were accessed during installation but remained intact with no evidence of data exfiltration. This may be part of normal system behavior during skill installation.

LOW API token configuration in environment variables -10

The skill instructs users to store API tokens in environment variables, which could be a security concern if not handled properly in shared environments.