Is kelvis24/throwly-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/kelvis24/throwly-mcp

98
SAFE

This skill provides documentation for integrating AI agents with the Throwly marketplace service. It contains only documentation files with no executable code, makes no attempts at prompt injection or data exfiltration, and exhibits normal installation behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (2)

INFO External service endpoint references -5

The skill documentation references external URLs for the Throwly marketplace service endpoints. These appear to be legitimate service URLs for the declared marketplace functionality.

INFO External service dependency -5

The skill requires users to provide a THROWLY_AUTH_TOKEN environment variable to authenticate with the external Throwly marketplace service. This is expected for marketplace functionality but creates a dependency on external service.