Is kaushal-205/clawlogic safe?

https://github.com/openclaw/skills/tree/main/skills/kaushal-205/clawlogic

60
CAUTION

This prediction market trading skill exhibits severe security concerns by accessing multiple sensitive credential files including SSH keys, AWS credentials, and environment files during execution. While the skill's core functionality appears legitimate, the credential access pattern combined with external data transmission capabilities presents significant data exfiltration risks.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 10/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 30/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (4)

CRITICAL Access to Multiple Sensitive Credential Files -90

The skill accessed multiple sensitive credential files including .env, SSH private keys, AWS credentials, Docker config, and GCloud credentials during execution. This indicates potential data exfiltration capabilities.

HIGH External Data Transmission -25

The skill sends data to external endpoints including market broadcasts and potentially sensitive information through the post-broadcast functionality.

MEDIUM External Package Execution -25

The skill downloads and executes external packages via npx @clawlogic/sdk@latest, which could introduce supply chain risks.

MEDIUM Financial Operations with Credential Access -60

The skill performs financial trading operations while having access to sensitive credentials, creating risk for unauthorized financial activities.