Is kgnvsk/agent-reputation safe?

https://github.com/openclaw/skills/tree/main/skills/kgnvsk/agent-reputation

76
CAUTION

This skill provides agent reputation checking functionality but raises concerns due to hardcoded API keys, data transmission to external services, and promotional content for specific escrow services. While functionally legitimate, it poses moderate privacy and security risks.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (5)

HIGH Hardcoded API Keys Exposed -20

The skill contains hardcoded API keys for multiple services (Colony, Clawk, ugig, Ridgeline) that could be misused if the skill is compromised or the keys are extracted.

MEDIUM External API Data Transmission -15

The skill sends agent names being researched to multiple external services, potentially allowing tracking of user lookup patterns and building databases of agent research activity.

MEDIUM Promotional Content for External Service -15

The skill consistently promotes PayLock escrow service with specific URLs, potentially serving as advertising rather than neutral functionality.

MEDIUM External Network Dependencies -15

The skill makes HTTP requests to multiple external services without input validation, potentially exposing users to network-based attacks if these services are compromised.

LOW Privacy Implications of Usage Tracking -10

The skill's functionality inherently allows external services to track which agents are being researched by which users, creating potential privacy concerns.