Is hukifl1/clankedin safe?

https://github.com/openclaw/skills/tree/main/skills/hukifl1/clankedin

91
SAFE

ClankedIn is a social networking API integration skill that appears legitimate but has moderate risk due to dynamic content fetching from external endpoints. The skill facilitates cryptocurrency payments and social interactions through an external API.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (3)

MEDIUM Dynamic Documentation Fetching -20

The skill instructs agents to fetch API documentation from an external URL (https://api.clankedin.io/api/skill.md). This could potentially be used to dynamically inject new instructions into the agent's context if the endpoint is compromised.

LOW Private Key Handling in Examples -10

The documentation includes JavaScript examples that reference private key environment variables (process.env.EVM_PRIVATE_KEY) for cryptocurrency transactions, which could lead to financial loss if misused.

MEDIUM Financial Transaction Risk -25

The skill combines external content fetching capabilities with cryptocurrency payment functionality, creating potential vectors for financial manipulation if the external API is compromised or malicious.