Is hiich/skillzmarket safe?

https://github.com/openclaw/skills/tree/main/skills/hiich/skillzmarket

83
SAFE

This skill provides legitimate functionality for calling monetized AI services with cryptocurrency payments. While it handles private keys and can call arbitrary endpoints, the code appears well-structured without obvious malicious intent.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

MEDIUM Arbitrary endpoint calling capability -20

The 'direct' command allows calling any URL with arbitrary JSON payloads, which could potentially be misused for data exfiltration or SSRF attacks against internal services.

LOW TypeScript code execution -15

The skill executes TypeScript code via npx tsx, which is necessary for functionality but presents inherent code execution risk.

MEDIUM Cryptocurrency private key handling -10

The skill requires and handles cryptocurrency private keys for payments, making it a potential target for credential theft if compromised.

LOW External service dependencies -25

The skill depends on external services (api.skillz.market and third-party x402 endpoints) which could become compromised or malicious.