Is hollaugo/chatgpt-apps safe?

https://github.com/openclaw/skills/tree/main/skills/hollaugo/chatgpt-apps

89
SAFE

The hollaugo/chatgpt-apps skill is a pure-markdown workflow guide for building ChatGPT Apps with MCP servers, authentication, and database integration. No executable code, git hooks, submodules, or prompt injection was found in the skill content, and the oathe canary integrity check confirms all honeypot files were unmodified. The primary concerns are inherent to the skill's legitimate purpose — managing high-privilege secrets (Supabase service role keys, Auth0 client secrets) in agent context — and references to non-existent sub-agents that may cause confusion or fail silently.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 84/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

LOW References Non-Existent Sub-Agents -8

The skill instructs the agent to 'use chatgpt-mcp-generator agent', 'chatgpt-auth-generator agent', and 'chatgpt-database-generator agent' to generate code. These agents are not bundled with the skill and do not appear to exist in the openclaw skill registry. An agent attempting to invoke them would either fail or be redirected to whatever matches that name if another skill with that identifier is installed.

LOW Homepage URL Mismatch -5

The skill's homepage field points to github.com/hollaugo/prompt-circle-claude-plugins, which is a different repository than the openclaw/skills monorepo where the skill is published. This provenance mismatch is minor but worth noting — it could indicate the skill was ported from a personal repo without full review.

LOW High-Privilege Secrets Handled in Agent Context -16

The skill's database and auth workflows require the agent to solicit and embed SUPABASE_SERVICE_ROLE_KEY and AUTH0_CLIENT_SECRET into generated code. While this is legitimate for app building, any logging or conversation retention could expose these secrets. The risk is inherent to the skill's purpose rather than malicious intent.

INFO AWS Connections During Audit Period -15

Two ESTABLISHED connections to 44.214.208.192:443 (AWS) appear in the post-install state, attributed to the openclaw-gateway process. This is the oathe audit infrastructure phoning home, not a skill-driven action. Noted for completeness.

INFO Canary Files Accessed at Audit Boundary Times -10

Auditd PATH records show the full set of canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) accessed at two precise timestamps: pre-install (ts=1771936576.592) and post-install (ts=1771936598.881). The batching and timing pattern is consistent with oathe infrastructure performing canary baseline reads rather than skill-driven access. Canary integrity check confirms no exfiltration.

INFO Render MCP Chaining Risk -20

The deployment section mentions 'Option A: Automated (if Render MCP available) — Use Render MCP agent to deploy.' If a malicious Render MCP is co-installed, this skill could be chained to trigger deployment to attacker-controlled infrastructure. This is a composition risk, not a standalone vulnerability.