Is james-southendsolutions/camino-ev-charger safe?

https://github.com/openclaw/skills/tree/main/skills/james-southendsolutions/camino-ev-charger

89
SAFE

The camino-ev-charger skill is a legitimate EV charging station finder that queries the Camino AI API using OpenStreetMap data. No prompt injection, hidden instructions, credential theft, or malicious code execution was detected during static analysis or dynamic monitoring. The primary concerns are modest: the SKILL.md installation section promotes mass-installation of 13 companion skills in a way an agent might interpret as an imperative, and all location queries are transmitted to a third-party commercial service (getcamino.ai).

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 84/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 84/100 · 5%

Findings (5)

MEDIUM Companion-skill mass-install promotion in system-prompt context -13

The Installation section of SKILL.md explicitly instructs readers to 'Install all available skills' and lists 13 companion skills from the barneyjm/camino-skills repository. When SKILL.md is injected into an LLM agent's system prompt, the agent may interpret this as an actionable directive and attempt to install all companion skills without explicit user approval, significantly expanding the installed codebase and attack surface.

LOW User location and search queries sent to third-party commercial API -12

The shell script transmits user-supplied latitude, longitude, radius, and search query strings to api.getcamino.ai over HTTPS. While this is the expected behavior for a location-intelligence skill, users should be aware that all EV charger searches (including precise coordinates) leave the local environment and are processed by Camino AI's servers.

LOW Executable shell script included in skill bundle -16

The skill includes scripts/ev-charger.sh, a bash script that will be executed by the agent on behalf of users. The script is well-structured, uses input validation, and only communicates with the declared API endpoint. The risk is inherent to shell-script-based skills generally rather than any specific malicious logic in this script.

INFO Clean sparse-checkout install from GitHub monorepo -4

The install process performed a shallow git clone of the openclaw/skills monorepo using sparse checkout to extract only the skill subdirectory. No unexpected network connections, process spawning, or filesystem writes outside the target directory were observed.

INFO Canary file accesses attributable to audit system only 0

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed twice during the audit window. Both access clusters (ts 1771923069 and ts 1771923089) align with the Oathe pre-install and post-install snapshot operations, not with any skill-related process. All files confirmed intact.