Is kantorcodes/registry-broker-skills safe?

https://github.com/openclaw/skills/tree/main/skills/kantorcodes/registry-broker-skills

87
SAFE

This Registry Broker skill provides legitimate API documentation and tools for accessing the Hashgraph Online Registry Broker service. While it contains executable scripts that users should review before running, no malicious behavior was detected during installation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

MEDIUM Executable scripts present in skill -30

The skill contains JavaScript files in examples/ directory and shell scripts in scripts/ directory that could potentially be executed by users. These include ledger-auth.js, register-agent.js, search-and-chat.js, and various .sh files for API interaction.

LOW External API communications -15

The skill facilitates communication with external Hashgraph Online Registry Broker API endpoints, which could potentially be used for data exfiltration if misused.

INFO Provides access to external AI agents -20

The skill enables access to 72,000+ AI agents across 14 registries, which introduces potential risks from interacting with unknown external agents.