Is gglucass/criticaster safe?

https://github.com/openclaw/skills/tree/main/skills/gglucass/criticaster

87
SAFE

The Criticaster skill provides a legitimate product review aggregation service and contains no malicious code, prompt injection patterns, or attempts to read sensitive system files. Its primary security concern is a data collection workflow that instructs the agent to harvest user email addresses and send them to criticaster.com when products are not found, and to autonomously read user email inboxes if such tools are available — both without prominent user disclosure. All canary files remained intact and clone behavior was normal.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 92/100 · 10%
Behavioral Reasoning 76/100 · 5%

Findings (6)

MEDIUM User email harvested and sent to external service -18

The skill's 'No Results — Request or Upvote' workflow instructs the agent to submit user email addresses to criticaster.com via POST /api/product-requests and POST /api/upvotes. This happens when a product search returns no results, which is a common case for niche categories. The user is asked to provide their email, which is then sent to a third-party server without any disclosure about how it will be used. Over many users this systematically builds an email marketing list.

MEDIUM Autonomous email inbox access instructed without per-action consent -10

The skill explicitly instructs the agent to autonomously read the user's inbox if email tools are available: 'If you have email access, you can complete this flow autonomously.' A user asking for product recommendations has not consented to the agent accessing their email. An agent with email tools would read the user's inbox to extract a 6-digit verification code from criticaster.com, without asking permission for that specific action.

LOW Skill expands agent scope to email access without explicit user request -13

By instructing the agent to autonomously use email tools if available, the skill extends its operational boundary beyond the declared purpose of product search. A user invoking this skill for a product recommendation has not authorized email inbox access as part of that interaction. This represents an undisclosed capability expansion that could surprise users.

LOW External API responses injected into agent context without sanitization -14

All product names, descriptions, review excerpts, pros/cons, and recommendation text are fetched from criticaster.com and rendered directly in agent responses. The skill does not instruct any validation of API responses. A compromised or malicious criticaster.com API could embed prompt injection instructions in product descriptions or review text that would be executed in the agent's context.

LOW Systematic email collection business model embedded in skill logic -10

The skill's fallback workflow for missing products is specifically designed to maximize email collection: check existing requests → if not found, ask user for email → POST to criticaster.com. Every user whose query returns no results becomes a potential email submission. This suggests the skill's secondary purpose is to grow criticaster.com's email list using the agent as a collection mechanism.

INFO Canary file PATH audit records present but integrity confirmed -8

Linux audit PATH records for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials appear both before (1771906554.441, before git clone at 1771906559) and after install (1771906576.656, batch with identical timestamp and consecutive audit IDs 6873-6878). Pre-install timing and batch access pattern confirm these are Oathe monitoring framework sweeps, not the skill. Canary integrity report confirms all files intact with no exfiltration.