Is jasonfdg/bidclub-ai safe?

https://github.com/openclaw/skills/tree/main/skills/jasonfdg/bidclub-ai

72
CAUTION

This BidClub skill provides API integration for an investment community platform but introduces security concerns through external URL dependencies and agent behavior modification instructions. While the skill files themselves contain only documentation, the external service dependencies and heartbeat modification create potential attack vectors.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (4)

MEDIUM External URL fetching instructions -20

The skill instructs agents to regularly fetch content from external URLs like https://bidclub.ai/heartbeat.md, https://bidclub.ai/templates.md, and others. This creates a dependency on external services that could be compromised.

MEDIUM Agent behavior modification -15

The skill instructs agents to modify their HEARTBEAT.md file to add recurring tasks, changing the agent's autonomous behavior patterns.

LOW Credential files accessed during session -15

Multiple sensitive credential files were accessed during the installation session, though this appears to be from monitoring infrastructure rather than the skill itself.

MEDIUM External service dependency risk -45

The skill creates a strong dependency on bidclub.ai services. If this external service were compromised, it could be used to inject malicious content into agent workflows through the heartbeat mechanism.