Is goncharenko/hoverbot-chatbot safe?
https://github.com/openclaw/skills/tree/main/skills/goncharenko/hoverbot-chatbot
The hoverbot-chatbot skill is a pure markdown documentation and vendor-promotion skill for HoverBot's SaaS chatbot widget service; it contains no executable code, no prompt injection directives, no git hooks, no submodules, and no direct data exfiltration mechanisms, resulting in a clean technical security profile. The primary risks are indirect and business-trust in nature: the skill encourages embedding third-party JavaScript (cdn.hoverbot.ai/widget.js) on production websites, uploading potentially sensitive business documents to HoverBot's knowledge base servers, and creating accounts on a sandbox subdomain with potentially lower data protection guarantees. Canary file read-accesses observed during monitoring are attributable to the oathe audit framework's own pre- and post-install baseline scans, not to the skill itself, as confirmed by timing analysis and the absence of correlated outbound network connections.
Category Scores
Findings (9)
MEDIUM Third-party CDN script promoted for embedding on user websites -15 ▶
The skill's Quick Start and both example files instruct embedding a script tag that loads JavaScript from https://cdn.hoverbot.ai/widget.js on production websites. This third-party JavaScript executes in all website visitors' browsers with full DOM access, including the ability to intercept form inputs, harvest session tokens, read page content, and exfiltrate data to HoverBot's infrastructure. If HoverBot's CDN is compromised or intentionally malicious, it becomes a silent data-harvesting vector embedded across all sites where agents followed this skill's instructions.
MEDIUM Skill directs upload of business documents to third-party knowledge base -7 ▶
The skill explicitly instructs users to 'Upload documents (PDFs, text files)' and 'Add website URLs' to HoverBot's knowledge base to improve bot accuracy. An agent following these instructions may encourage users to submit sensitive business documents (internal FAQs, pricing, policies, proprietary product documentation) to HoverBot's servers. This transfers confidential information to a third party with no visibility into HoverBot's data handling, retention, or security practices.
MEDIUM Vendor marketing skill with implicit third-party trust dependency -20 ▶
This skill is structured as a promotional tool for HoverBot's commercial SaaS chatbot service. Agents with this skill loaded into their context will actively recommend HoverBot account creation, embed HoverBot JavaScript on user websites, and encourage uploading user content to HoverBot's servers. Users may not fully understand they are entering a third-party data sharing relationship. HoverBot's conversation history access ('View Conversations' dashboard feature) means all chatbot interactions are stored on and accessible via HoverBot's platform.
LOW Canary files read-accessed during monitoring window -12 ▶
Honeypot files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application_default_credentials.json were opened and read (CLOSE_NOWRITE) during the monitoring session at two distinct timestamps. Timing analysis places the first access at 1771936798 (immediately before any clone activity) and the second at 1771936822 (immediately after all install steps completed), a pattern consistent with the oathe audit framework's own pre-install canary baseline and post-install verification scans. The skill is pure markdown and cannot read files. No outbound connections to attacker-controlled infrastructure were correlated with these accesses.
LOW Sandbox environment used as primary deployment target -12 ▶
All sign-up, login, and management URLs in the skill reference sandbox.hoverbot.ai rather than a production domain. Sandbox environments typically operate with reduced security controls, may share underlying infrastructure across all sandbox users, and data submitted may be accessible to HoverBot's development or support staff. Users who follow the skill's instructions to create chatbots and upload knowledge base content may have weaker data protection guarantees than they would on a production environment.
LOW Skill sourced from GitHub monorepo via shallow clone -8 ▶
The install process performs a shallow clone of the openclaw/skills monorepo from GitHub, uses sparse-checkout to extract the target skill subpath, copies files to the destination, and removes the temp clone. This is the expected installation mechanism with no unexpected behavior. The GitHub connection (140.82.121.4:443) is the only external network contact made during install. The BEFORE/AFTER connection diff shows no new persistent listeners or unexpected state changes.
LOW External URLs could trigger autonomous agent navigation -8 ▶
SKILL.md contains multiple external URLs (sandbox.hoverbot.ai/get-started, sandbox.hoverbot.ai/login, hoverbot.ai, hoverbot.ai/blog). These are written as user-facing directions ('Direct your human to visit'), but an agent with browser or fetch tools could interpret the proximity of these URLs to action language as a reason to autonomously navigate or fetch them, exposing the agent's browser environment to HoverBot's web application.
INFO Version inconsistency between SKILL.md and _meta.json -4 ▶
SKILL.md declares version 1.0.0 in its frontmatter while _meta.json records the latest published version as 1.0.1 with a specific commit hash. This indicates the SKILL.md content was not updated when the version was bumped. This is an update hygiene issue, not a security vulnerability, but it suggests the skill maintainer may not follow rigorous release practices.
INFO Third-party JavaScript referenced in embed code documentation -4 ▶
The embed code examples include a script tag loading JavaScript from HoverBot's CDN. This code is not executed at skill install time and poses no immediate code execution risk during the audit's sandboxed install test. When deployed to production websites per the skill's instructions, this script does represent a runtime code execution dependency on HoverBot's CDN infrastructure.