Is gfly0424-maker/ng-lawyer-db-build safe?

https://github.com/openclaw/skills/tree/main/skills/gfly0424-maker/ng-lawyer-db-build

78
CAUTION

This skill appears to be a legitimate tool for building a database of Nigerian lawyers, but raises security concerns due to credential file access during installation and potential privacy implications of personal data collection. While no direct malicious code was found, the security posture requires careful review.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 30/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (2)

HIGH Access to Sensitive Credential Files During Installation -70

During skill installation, the system accessed multiple sensitive credential files including .env, SSH private keys, AWS credentials, NPM credentials, Docker config, and Google Cloud credentials. While this may be related to monitoring setup, it represents a security risk as these files contain sensitive authentication data.

MEDIUM Personal Data Collection for Contact Purposes -30

The skill is designed to collect personal contact information (emails, phones) of Nigerian lawyers, which could potentially be misused for unsolicited outreach, spam, or phishing campaigns. While the stated purpose appears legitimate, the collection of personal contact data presents privacy and security concerns.