Is hgosansn/mukt safe?

https://github.com/openclaw/skills/tree/main/skills/hgosansn/mukt

90
SAFE

The openrouter-free-responder skill is a well-written, transparent utility that routes prompts to free OpenRouter models. The SKILL.md contains no prompt-injection patterns, the Python script performs no unauthorized file access or secondary exfiltration, and all canary honeypot files remained intact post-install. The only material concern is inherent to the skill's purpose: user prompts are forwarded to a third-party AI service, which may be undesirable in privacy-sensitive deployments or when combined with file-reading skills that could relay sensitive content.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

LOW User prompts forwarded to third-party LLM service by design -15

The skill's core purpose is to relay user prompts to OpenRouter's API. Any prompt passed via --prompt will be transmitted to an external AI provider. If the agent invokes this skill with sensitive context, that context leaves the local environment. This is disclosed in the skill description but users should be aware.

LOW Bundled Python script requires execution trust -15

The skill ships an executable Python file. While the code is clean and well-structured, any bundled executable script that runs with agent-level privileges represents a minor elevation of attack surface compared to a prompt-only skill.

LOW Indirect exfiltration possible via skill composition -20

If installed alongside file-reading or memory-reading skills, an agent could be prompted to read sensitive files and then query OpenRouter with that content. This skill does not cause this alone, but it widens the blast radius of misconfigured agent tool chains.

INFO OPENROUTER_API_KEY consumed on each invocation 0

The skill uses the caller's API key for all model queries. Repeated or automated invocation will deplete user quota. No credential is stored or logged by the skill itself.

INFO Version metadata inconsistency in _meta.json 0

The latest field records version 0.1.0 while history contains 0.1.3 (a higher version). This is a data-ordering bug in the registry metadata and carries no security implication.