Is jds950/messari-crypto safe?

https://github.com/openclaw/skills/tree/main/skills/jds950/messari-crypto

94
SAFE

The messari-crypto skill by jds950 is a well-scoped API documentation skill that routes crypto market queries to Messari's REST API. Static analysis of SKILL.md reveals no prompt injection, hidden instructions, data harvesting directives, or executable code. Runtime monitoring confirmed no canary file exfiltration, no unexpected network connections beyond the expected GitHub clone, and no new persistent processes or listeners after installation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (5)

INFO API key transmitted to declared third-party service -5

The skill instructs the agent to include MESSARI_API_KEY in every request header sent to api.messari.io. This is the stated and expected behavior of the skill. The key is not sent anywhere unexpected, but users should understand their Messari API key will be used in agent-initiated requests.

INFO User query content forwarded to Messari AI -5

The /ai/v1/chat/completions endpoint sends user message content to Messari's AI service. This is a standard third-party LLM integration and is explicitly described, but users with sensitive queries should be aware their inputs leave the local agent context.

INFO Skill installed via GitHub monorepo sparse checkout -3

Installation clones the full openclaw/skills monorepo with --depth 1 --no-checkout, then sparse-checks out only the target skill path before copying and cleaning up. This is the expected oathe install pattern. No anomalous network activity was observed.

INFO No executable code present 0

The skill contains only markdown documentation and JSON metadata files. There are no scripts, compiled artifacts, build hooks, or executable content of any kind.

INFO Canary files accessed read-only before install by audit framework 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, etc.) appear in PATH audit records at timestamp 1771939438 — approximately 5 seconds before the skill install commenced at 1771939443. This access pattern is consistent with oathe establishing its monitoring baseline. Canary integrity check confirmed all files unmodified.