Is idoziv/salai-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/idoziv/salai-mcp

91
SAFE

This skill provides legitimate grocery shopping and price comparison functionality through Israel's Salai service. The primary security consideration is its dependency on an external MCP endpoint, which is clearly documented and appears to be the intended functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM External API Endpoint Communication -15

Skill connects to external MCP endpoint at https://mcp.salai.co.il/mcp for grocery shopping functionality. This is the stated purpose but creates a trust boundary.

MEDIUM API Key Transmission -10

Skill requires SALAI_API_KEY environment variable which will be transmitted to external service for authentication.

LOW External URL References -5

Documentation references external URLs for registration and support, though these appear legitimate.

LOW External Service Trust Dependency -20

Skill's security depends on trustworthiness of external Salai service. If compromised, could misuse API keys or shopping data.