Is jalexspringer/forage-shopping safe?

https://github.com/openclaw/skills/tree/main/skills/jalexspringer/forage-shopping

87
SAFE

The skill appears to be a legitimate product search and price comparison tool with clean code and no obvious malicious behavior. However, it requires connection to an external MCP server which introduces data privacy concerns and potential for manipulation of shopping recommendations.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (2)

MEDIUM External MCP Server Dependency -25

The skill requires connection to an external MCP server at 'https://forageshopping.com/mcp' which could potentially collect user shopping queries, preferences, and search patterns. The server's data handling practices are not verified.

LOW Potential Shopping Behavior Manipulation -20

The external MCP server could theoretically influence purchasing decisions by manipulating search results, product recommendations, or pricing information presented to users.