Is juanwall/moonbanking safe?

https://github.com/openclaw/skills/tree/main/skills/juanwall/moonbanking

83
SAFE

juanwall/moonbanking is a straightforward API-wrapper skill that provides access to the Moon Banking banking data API. The SKILL.md is clean of prompt injection, hidden instructions, and credential-harvesting logic; no executable code, git hooks, or submodules are present; and the clone behavior was limited to a single expected GitHub connection. The primary concerns are an overly broad activation trigger that exposes MOON_BANKING_API_KEY to a third-party service more frequently than necessary, and the inherent risk that agent-parsed API responses from moonbanking.com are not sandboxed against prompt injection. Canary file reads observed in telemetry are conclusively attributed to the audit harness rather than the skill.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

LOW Overly Broad Skill Activation Trigger -18

The final line of SKILL.md instructs the agent to activate the skill 'whenever questions or discussions involve bank information of any kind, including, but not limited to, rankings, reviews, country comparisons, customer experiences, or global banking insights.' This unbounded trigger causes MOON_BANKING_API_KEY to be sent to api.moonbanking.com far more often than necessary, increasing credential exposure surface and enabling adversarial activation via casual mentions of any bank.

LOW API Key Transmitted to Third-Party Commercial Service on Every Call -22

The MOON_BANKING_API_KEY credential is included in every curl invocation as a Bearer token. While this is required for the API, the key is exposed to moonbanking.com infrastructure on every skill invocation. If moonbanking.com were compromised or the key were logged server-side, user API access would be silently at risk. The broad trigger condition (see prompt injection finding) multiplies the frequency of this exposure.

INFO Canary File Reads Attributed to Audit Harness, Not Skill 0

Filesystem and auditd telemetry show that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json were opened and read twice: once at audit epoch 1771923758.868 (before the git clone at 1771923764.348) and once at 1771923781.900 (after all skill analysis completed). Neither window overlaps with any skill-attributable process. No network activity correlates with these reads. Canary integrity is confirmed intact.

INFO Agent Instructed to Use exec with curl for All API Calls -13

The skill grants itself persistent shell execution capability by instructing the agent to use exec with curl and jq for every API interaction. This is standard practice for API-wrapper skills but should be noted as a design pattern that enables arbitrary shell command execution within the agent's tool permissions. No misuse is present in the current SKILL.md, but this pattern makes the skill sensitive to any future prompt injection in API responses.

LOW API Response Content Parsed by Agent Without Sandboxing -28

Bank names, stories, and country descriptions returned by api.moonbanking.com are summarized directly by the agent. The skill instructs the agent to 'always summarize results helpfully.' If api.moonbanking.com were compromised or served attacker-controlled content, injected instructions in API response fields (e.g., a bank 'name' containing prompt-injection text) would be processed by the agent with full context access.

INFO Clean Install — Only Expected GitHub Network Activity 0

The git clone contacted only GitHub (140.82.121.4:443, confirmed via DNS and TCP trace). No unexpected outbound connections, no unexpected processes, and no filesystem writes outside /home/oc-exec/skill-under-test/ and the cleaned-up /tmp/monorepo-clone were observed. Pre-existing Canonical/Ubuntu connections were not skill-induced.