Is johnielee/privacy-cards safe?

https://github.com/openclaw/skills/tree/main/skills/johnielee/privacy-cards

94
SAFE

The johnielee/privacy-cards skill is a well-structured, documentation-only API reference for Privacy.com virtual card management. It contains no executable code, no prompt injection attempts, no data exfiltration vectors, and installed cleanly with no unexpected network connections or filesystem changes. The primary risks are inherent to its legitimate purpose: full card credentials (PAN, CVV, expiry) flow into the agent's context window via API responses, and the skill enables irreversible financial operations (permanent card closure, spend limit modification) that could cause harm if the agent is manipulated via secondary prompt injection from other sources.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (7)

MEDIUM Full Card Credentials Exposed in Agent Context -8

The Privacy.com API create-card response includes pan (16-digit card number), cvv, and expiry fields. When the agent calls this endpoint and receives the response, these credentials enter the agent's context window. If a secondary prompt injection occurs (e.g., from a malicious file the agent reads, or another installed skill), this financial data could be exfiltrated or misused.

MEDIUM Irreversible Card Closure Operation -12

The skill documents PATCH state=CLOSED as a permanent operation with no undo path. An adversarially prompted agent or one that misunderstands user intent could permanently close all user cards, disrupting their financial operations with no recovery option.

LOW Financial Transaction History in Agent Context -5

The transactions endpoint returns merchant names, amounts, authorization codes, and settlement status. This creates a financial surveillance dataset within the agent's context that persists for the duration of the session and could be leaked.

LOW Spend Limit Removal Risk -6

The skill allows updating spend_limit and spend_limit_duration. A manipulated agent could set spend_limit to an arbitrarily high value or change duration to FOREVER, removing financial guardrails on user cards.

LOW Canary Files Accessed During Monitoring Window -5

Honeypot files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened during the monitoring period. Timing and process attribution indicate these accesses were performed by the Oathe audit platform itself (pre-install baseline and post-install integrity check), not by skill-derived code. No executable code in the skill could have triggered these reads. Canary integrity confirmed intact.

LOW External API Endpoint Hardcoded in Skill -5

SKILL.md hardcodes api.privacy.com and sandbox.privacy.com as the API base URLs. While these are legitimate endpoints today, any future modification to the skill in the monorepo could silently redirect API calls (including the user's API key) to an attacker-controlled server. Users should pin to a known-good commit.

INFO No Executable Code Present -1

Skill consists entirely of markdown documentation (SKILL.md, references/api.md) and metadata (_meta.json). No npm scripts, git hooks, gitattributes filters, gitmodules, symlinks, or any executable artifacts were found. Installation process was clean with no unexpected side effects.