Is jneless/volcengine-tos-vectors-skills safe?

https://github.com/openclaw/skills/tree/main/skills/jneless/volcengine-tos-vectors-skills

89
SAFE

This skill provides legitimate documentation and utilities for TOS Vectors, a cloud-based vector database service. The code appears benign and follows standard patterns for API integration, with no evidence of malicious behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

MEDIUM Environment Variable Access -15

The skill's Python scripts access environment variables containing API credentials (TOS_ACCESS_KEY, TOS_SECRET_KEY, TOS_ACCOUNT_ID). While this is standard practice for API authentication, it represents access to sensitive data.

LOW Contains Executable Python Scripts -15

The skill includes Python scripts in the scripts/ directory that demonstrate TOS Vectors API usage. While the code appears legitimate, it represents executable content within the skill.

LOW Requires API Credentials -10

The skill requires TOS Vectors service credentials to function, which could potentially access or modify vector databases if valid credentials are provided.