Is kiszly/fred-navigator safe?

https://github.com/openclaw/skills/tree/main/skills/kiszly/fred-navigator

84
SAFE

kiszly/fred-navigator is a well-scoped economic data navigation skill for the FRED API. The SKILL.md is clean with no prompt injection or override language, the install was limited to a single GitHub connection, and all canary files are intact. The primary risk vectors are standard for any scripting skill: the agent will execute Python scripts that make authenticated calls to api.stlouisfed.org, and the full content of those scripts was not disclosed in audit evidence. No malicious behavior was observed.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (6)

MEDIUM Agent instructed to execute Python scripts with outbound network access -27

SKILL.md directs the agent to run fred_query.py and build_paths.py via shell. These scripts make authenticated calls to the FRED API using FRED_API_KEY from the environment. While this is documented and expected, agent-executed Python is a code execution surface: if the scripts were malicious or tampered with, they could access the broader runtime environment. The script content was not fully disclosed in audit evidence.

LOW Outbound network calls to FRED API are required and documented -22

The skill's core function requires the agent to make authenticated HTTPS requests to api.stlouisfed.org using FRED_API_KEY. This is explicitly documented in SKILL.md. While this is expected behavior, it does mean the agent will make external network calls when the skill is active.

LOW Canary file access pattern observed — attributed to audit framework -22

inotify and auditd logs show OPEN/ACCESS events on /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at timestamps 1771907988 and 1771908005. These align with the audit framework's pre- and post-install canary checks, not with any skill artifact execution. Canary integrity report confirms files are unmodified.

LOW Skill instructs agent to execute shell commands — standard scripting pattern -10

SKILL.md repeatedly instructs the agent to invoke shell commands (e.g., 'scripts/fred_query.py category '). This is standard for scripting skills but means the agent will spawn processes. The instructions are bounded and purposeful, with no attempt to chain unexpected capabilities.

INFO Large reference JSON files will inflate agent context window -17

The skill bundles fred_categories_tree.json, fred_categories_flat.json, category_paths.json, and synonyms.json. SKILL.md instructs the agent to load these for intent matching. Depending on their size, this may significantly consume context window capacity.

INFO Clean install from expected GitHub repository -5

Installation performed a sparse git clone of the openclaw/skills monorepo, checked out only the fred-navigator subpath, copied files, and removed the temp clone. No unexpected network destinations, no unexpected processes, no filesystem writes outside the skill directory.