Is javainthinking/apipick-company-facts safe?

https://github.com/openclaw/skills/tree/main/skills/javainthinking/apipick-company-facts

92
SAFE

The apipick-company-facts skill is a pure markdown documentation package with zero executable code, no prompt injection vectors, and no data exfiltration mechanisms in its content. The only behavioral concern noted during monitoring — read-only accesses to canary files — is attributable to audit infrastructure operations that occurred before and after the skill install, not to any code within the skill itself; the canary integrity system confirmed no exfiltration. The skill presents a narrow, well-defined API lookup use case with full disclosure of its external API dependency.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 92/100 · 5%

Findings (6)

LOW Canary files read-accessed during test window -15

Six sensitive honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read during the monitoring window. However, both access batches (at 1771922502 before clone, and 1771922519 after install) are temporally correlated with audit infrastructure operations rather than the skill. The skill contains zero code capable of triggering file reads. The canary integrity system confirmed no exfiltration.

LOW Skill requires external API key env var -12

The skill reads APIPICK_API_KEY from the environment and transmits it as an HTTP header to apipick.com. This is the intended behavior and is fully disclosed in the skill description. However, any skill that reads env vars and makes outbound calls carries an inherent trust dependency on the API provider.

INFO Implicit ticker inference expands agent decision scope -5

The skill instructs the agent to infer ticker symbols from company names ('Apple' → AAPL, 'Microsoft' → MSFT). This is reasonable and disclosed, but slightly expands the agent's autonomous decision-making beyond a pure pass-through.

INFO README references non-existent 'Google Antigravity' platform -8

The README lists 'Google Antigravity' (https://antigravity.google) as a compatible platform with a description of 'Google's agent-first IDE with Gemini'. This product does not appear to exist. This is likely a fabricated marketing entry to appear more legitimate, which is a credibility flag but not a direct security vulnerability.

INFO Pre-existing Ubuntu infrastructure connection -10

A TCP connection to 185.125.188.57:443 (Canonical/Ubuntu) was established BEFORE the skill install and was gone AFTER. This is unrelated to the skill and appears to be routine Ubuntu system activity.

INFO No executable code present -2

The skill is composed entirely of markdown documentation. No code files of any kind exist in the skill package.