Is jpbonch/agentscale safe?

https://github.com/openclaw/skills/tree/main/skills/jpbonch/agentscale

86
SAFE

AgentScale is a legitimate deployment tool that uploads user code to external hosting services. While it follows good security practices by excluding sensitive files, the API URL override feature poses a credential theft risk if misused.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (4)

MEDIUM Uploads user source code to external service -20

The skill's core functionality involves packaging and uploading user source code to api.agentscale.co for deployment. While this is the intended purpose of a deployment tool, it represents data transmission to external services.

HIGH API URL override can redirect sensitive data -10

The AGENTSCALE_API_URL environment variable can redirect all API calls, including those carrying API keys, to arbitrary URLs. This could be exploited to steal credentials.

LOW Contains build scripts in package.json -15

The package includes TypeScript compilation scripts that execute during build, though these appear benign and standard for TypeScript projects.

LOW Dependency on external hosting service -25

The skill creates dependency on an external hosting service (agentscale.co) which could become unavailable or change terms, potentially affecting user deployments.