Is guogang1024/research-engine safe?

https://github.com/openclaw/skills/tree/main/skills/guogang1024/research-engine

82
SAFE

This appears to be a legitimate research automation tool written in Chinese that helps gather information from multiple sources. While it contains no malicious code, it has privacy concerns due to file system access and activity logging.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

MEDIUM Writes files to user home directory -15

The script writes research reports and browsing history to /home/vken/.openclaw/workspace/research without explicit user permission, potentially accumulating sensitive information about user research activities.

MEDIUM Attempts external network calls -15

The script tries to make web requests to GitHub, Moltbook, and general web search APIs which could potentially expose user data or be used for data exfiltration.

LOW Dynamic imports and executable code -20

The Python script uses dynamic imports and contains executable code that could potentially be exploited, though no malicious code was detected.

LOW Privacy and logging concerns -25

The skill logs detailed user research activities including queries, timestamps, and browsing patterns, which could accumulate sensitive information over time.