Is khaliqgant/relaycast safe?

https://github.com/openclaw/skills/tree/main/skills/khaliqgant/relaycast

91
SAFE

This skill appears to be legitimate documentation for a messaging system called Relaycast. It contains no malicious code or prompt injection attempts, and the monitoring detected no suspicious behavior during installation. The skill only creates documentation files and does not automatically execute any commands or access sensitive data.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (3)

INFO Documentation contains executable shell commands -15

The skill documentation includes various shell commands such as npm install, curl commands, and CLI usage examples. While these are not automatically executed by the skill itself, users may run them manually.

INFO References external API endpoints -10

The skill documentation references external API endpoints (api.relaycast.dev) and instructs users to configure API keys, which could potentially be a vector for data exfiltration if the external service is compromised.

INFO Introduces external dependencies -20

The skill introduces dependencies on external npm packages and API services that users would need to install and configure separately. While the skill itself is safe, the referenced dependencies introduce additional attack surface.