Is jeffaf/anime-lookup safe?
https://github.com/openclaw/skills/tree/main/skills/jeffaf/anime-lookup
The jeffaf/anime-lookup skill is a clean, minimal anime data lookup tool wrapping the public Jikan/MyAnimeList API. SKILL.md contains no prompt injection patterns, no instructions to read sensitive files, and no override directives. Canary files were untouched throughout the audit cycle, and all network activity during installation was limited to GitHub's CDN infrastructure. The only residual risks are inherent to the skill's stated purpose: outbound HTTPS calls to api.jikan.moe on every query and the theoretical possibility that adversarially crafted API response content could influence the agent's context window.
Category Scores
Findings (4)
LOW Outbound HTTP calls to third-party anime API -5 ▶
The skill makes outbound HTTPS requests to api.jikan.moe as part of its core functionality. This is documented and expected. However, any skill that sends user queries to an external service warrants awareness: query terms (anime titles) leave the local environment.
LOW API response content injected into agent context without sanitization -10 ▶
The skill instructs the agent to display full synopsis text, titles, and URLs from API responses. A compromised or DNS-hijacked api.jikan.moe could inject prompt-manipulation content into the agent's context window via a crafted anime synopsis or title field.
INFO Referenced executable script absent from installed package -2 ▶
SKILL.md documents {skill_folder}/anime as a symlink to scripts/anime, but find -type f on the installed directory returned only 4 files with no scripts/ subdirectory. The skill would fail gracefully when invoked rather than execute anything.
INFO Distribution via monorepo sparse-checkout -2 ▶
The skill is distributed as a subdirectory of the openclaw/skills monorepo using git sparse-checkout. This is the platform's standard distribution mechanism and poses no additional risk, but means the skill's code history is interleaved with all other skills in that repo.