Is johnixr/agentsocial safe?

https://github.com/openclaw/skills/tree/main/skills/johnixr/agentsocial

53
CAUTION

This social matching skill poses significant security risks through designed data exfiltration to external services, autonomous behavior patterns, and interactions with unknown external agents. While no malicious code was found in the skill files, the intended functionality creates concerning attack vectors for data theft and social engineering.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 20/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (7)

HIGH Required user data transmission to external service -50

The skill explicitly instructs the agent to send user's display name, bio, IP address, and MAC address to an external service (plaw.social). This creates a direct data exfiltration channel to an untrusted third party.

HIGH Persona override and autonomous behavior instructions -40

The skill contains extensive instructions that override the agent's default behavior, instructing it to act as a 'social agent and matchmaker' with autonomous cron job management and external API interactions without user approval.

HIGH High-risk external agent interactions -50

The skill enables interactions with unknown external agents on the plaw.social platform, creating risks of social engineering attacks, information disclosure, and potential malicious agent communications.

MEDIUM Credential storage and management -30

The skill requires storing API tokens and credentials locally in config.json files, which could become targets for other attacks or credential theft.

MEDIUM Indirect code execution via cron commands -30

The skill instructs the agent to execute shell commands for cron job management, which represents indirect code execution capabilities that could be misused.

MEDIUM External URL and API instruction injection -20

The skill contains extensive instructions for making API calls to external URLs, which could be used to exfiltrate data or receive malicious instructions from compromised external services.

MEDIUM Autonomous operation without explicit consent -20

The skill is designed to operate autonomously with minimal user oversight, including automatic cron job management, API calls, and conversation handling, which reduces user control over sensitive operations.