Is gizmo-dev/agentapi safe?

https://github.com/openclaw/skills/tree/main/skills/gizmo-dev/agentapi

86
SAFE

The gizmo-dev/agentapi skill is a documentation-only markdown file with no executable code, install hooks, git hooks, or prompt injection patterns. The install process was clean, confined to a GitHub sparse checkout with no unexpected network connections or filesystem changes outside the skill directory. The primary risks are a hardcoded cryptocurrency wallet address enabling x402 micropayments to the skill author and the routing of all agent API queries through author-controlled infrastructure (agentapihub.com), both of which are disclosed but not fully mitigated by the skill's own safety notices.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Hardcoded cryptocurrency wallet address enables targeted payments -20

The SKILL.md embeds a specific USDC recipient wallet (0xcCb92A101347406ed140b18C4Ed27276844CD9D7, labeled gizmolab.eth) as the payment destination for x402 API calls. Any agent equipped with a Base-chain USDC wallet that follows the documented x402 flow will send funds to this address. The financial exposure scales with the number of API calls made and the agent's autonomy level.

LOW x402 micropayment protocol operational detail sufficient for autonomous execution -8

The five-step x402 flow (call endpoint → receive 402 → pay USDC on Base → retry with proof → receive response) is described with enough specificity that an agent with wallet tooling could execute it without explicit user instruction per request. The skill's own safety notice acknowledges this risk but cannot enforce compliance.

LOW All API queries routed through author-controlled infrastructure -10

The skill directs agents to issue all directory searches and API lookups to agentapihub.com, a domain operated by the skill author. This server receives agent-generated query strings that may reflect sensitive task context (e.g., searching for 'AWS credentials API' or 'send message to employee'). No data is read from local files, but agent behavioral patterns are visible to the operator.

LOW External URLs present for agent fetching -10

The SKILL.md contains multiple live URLs (agentapihub.com, api.agentapihub.com/api/docs, twitter.com/gizmolab_, gizmolab.io) that an agent with browser or HTTP tools could automatically dereference. The content of these URLs at fetch time is not fixed, introducing a vector for future content-based injection.

INFO Shell command examples executable by tool-equipped agents -5

The documentation includes bash curl invocations in fenced code blocks. While these are benign directory queries, an agent with shell execution tools would treat these as runnable commands, making outbound HTTP requests to the author's service as a side effect of reading the skill.

INFO Version mismatch between installed SKILL.md and _meta.json -3

The SKILL.md frontmatter declares version 1.0.7 while _meta.json reports the latest published version as 1.0.8. This indicates the installed content may be one patch behind the current release. The discrepancy is minor but could reflect a distribution inconsistency.