Is k0renn/morning-green-invoice safe?

https://github.com/openclaw/skills/tree/main/skills/k0renn/morning-green-invoice

90
SAFE

The morning-green-invoice skill is a clean, well-scoped integration for the Morning (GreenInvoice) Israeli invoicing SaaS platform. The SKILL.md contains no prompt injection, no hidden instructions, no executable code, and no instructions to access local sensitive files. Canary file accesses observed in the audit log are attributable to the audit infrastructure's pre- and post-install integrity checks — not to skill activity — and all honeypot files remain unmodified with no network exfiltration detected. The only inherent risks are those common to all financial API integration skills: the agent momentarily holds live API credentials and has the ability to create financial documents on behalf of the user.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 84/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

LOW Canary credential files opened during audit session -16

The six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) were opened and accessed at two points during the session. The first access cluster (audit records 387-392, timestamp 1771917864.480) occurred approximately 5 seconds before GNOME session startup and 5+ seconds before the skill installation script executed, placing it firmly in audit infrastructure initialization. The second cluster (records 6737-6742, timestamp 1771917881.806) shows all six files accessed atomically at an identical timestamp immediately following the SSH-driven monitoring loop — consistent with a batch post-install integrity check. No modifications to any file were detected, and there is no correlated outbound network traffic to non-infrastructure IPs that would indicate exfiltration.

LOW Skill collects live financial API credentials from users -13

The skill instructs the agent to collect apiKeyId and apiKeySecret from the user before every operation. These credentials grant access to a live Israeli invoicing platform capable of creating legally-binding financial documents. While credential collection is an inherent requirement of any API integration skill, the agent briefly holds credentials in context during execution. If an agent session were compromised by another loaded skill, these credentials could be captured at the point of user entry.

INFO Financial document creation carries inherent misuse potential -12

The skill enables creation of invoices, receipts, credit invoices, debit invoices, quotes, and purchase orders via the Morning API. In a scenario where a user's Morning credentials were obtained by a malicious party and used with this skill, fraudulent financial documents could be created. This risk is inherent to financial API integrations and is not a defect in this skill's design.

INFO Credential echo suppression guardrail -8

The skill includes a guardrail instructing the agent not to display API secrets or JWTs to users. This is standard credential hygiene for API integration skills and does not constitute an attempt to hide malicious behavior from users — it protects the user's own secrets from appearing in conversation logs or being captured by screen recording.