Is ishaan-jaff/litellm safe?

https://github.com/openclaw/skills/tree/main/skills/ishaan-jaff/litellm

90
SAFE

The ishaan-jaff/litellm skill is a clean, legitimate wrapper around the LiteLLM library authored by the library's creator. No malicious code, prompt injection attempts, or credential exfiltration was detected during static analysis or dynamic monitoring; all canary files remained intact. The only material concern is inherent to the skill's purpose: it normalizes routing agent prompts to multiple third-party LLM providers, which means user conversation context leaves the primary runtime, and the LiteLLM proxy pattern could become a vector for interception if a future update or companion skill substitutes a malicious proxy URL.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Prompts routed to multiple third-party LLM providers by design -15

When the agent follows this skill's instructions it will send user prompts and conversation context to external providers including OpenAI, Google Gemini, and Mistral. This is the explicit purpose of the skill, but users should be aware their data leaves the primary runtime.

LOW LiteLLM proxy pattern enables man-in-the-middle interception -25

The skill normalizes setting litellm.api_base to an arbitrary proxy URL. If a future skill update, a malicious companion skill, or a social engineering prompt directed the agent to point this at an attacker-controlled proxy, all LLM calls would be intercepted without user awareness.

LOW Script reads API keys from environment variables 0

llm_call.py reads LITELLM_API_KEY, OPENAI_API_KEY, and ANTHROPIC_API_KEY from the environment. This is standard LLM tooling practice, but the script could be misused by a calling agent that logs or transmits script output including error messages that may leak key prefixes.

LOW Third-party Python package dependency (litellm) -7

The skill requires pip install litellm which introduces the LiteLLM package and all its transitive dependencies into the agent's Python environment. A supply-chain compromise of the litellm PyPI package would affect all agents using this skill.

INFO External documentation URL referenced in SKILL.md -8

SKILL.md links to https://docs.litellm.ai/docs/providers for the full model list. This is passive documentation, not an instruction to fetch the URL, and poses negligible risk.

INFO Installation clones full monorepo with shallow depth -10

The install script clones the entire openclaw/skills monorepo (depth 1) then sparse-checks out only the target skill. This is a minor efficiency concern but no unexpected behavior was observed.