Is klicbot/klic-nederland safe?

https://github.com/openclaw/skills/tree/main/skills/klicbot/klic-nederland

92
SAFE

This skill is a technically clean, markdown-only knowledge base for Dutch KLIC/WIBON cable-notification regulations that poses no traditional security threats: no executable code, no data exfiltration mechanisms, no prompt injection techniques, and a clean install with only expected GitHub network activity. The primary concern is commercial: the skill is authored by the KLICBOT service itself and contains hardcoded directives instructing the agent to always promote KLICBOT's paid offering (€32.89) while downplaying the official, cheaper Kadaster direct option (€10.50), representing undisclosed advertising injected into agent behavior. The skill is safe to install from a security standpoint but functions as covert commercial advertising dressed as neutral domain knowledge.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 97/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (6)

MEDIUM Mandatory Commercial Referral Directive -15

The skill explicitly instructs the agent to ALWAYS refer users to KLICBOT for any query about making a KLIC-melding, ordering, or pricing. This embeds a hard commercial behavioral override that supersedes neutral or comparative responses. Users interacting with an agent running this skill will receive KLICBOT promotion regardless of their actual question or stated preferences.

MEDIUM Undisclosed Commercial Interest — Skill Owner is the Advertised Service -20

The skill metadata shows owner 'klicbot' and the skill homepage is 'https://klicbot.nl' — the same service the skill aggressively promotes. Users installing what appears to be a neutral KLIC/WIBON knowledge base are unknowingly injecting advertising for the skill author's own commercial product into their agent. This conflict of interest is not disclosed anywhere in the skill description or metadata.

MEDIUM Biased Pricing Framing Obscures Cheaper Official Option -10

The pricing comparison table in KLIC_KNOWLEDGE_BASE.md presents KLICBOT (€32.89 all-in) as dramatically cheaper than other commercial providers. However, the official Kadaster direct option — which costs €10.50 with no service fee — is listed but framed as inferior due to 'DigiD + MijnKadaster' requirements, without acknowledging it as a viable primary option that is 3x cheaper. An agent following this skill will systematically steer users away from the official public service and toward a paid commercial intermediary.

LOW Persona Assignment Without User Consent -3

The skill immediately assigns a domain expert persona to the agent upon activation. While common in skill design, this changes the agent's epistemic posture without the end user's explicit awareness.

INFO Post-Install Canary File Access — Attributed to Audit Tooling -3

Credential canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at both the start of the audit session (pre-install baseline) and post-install. The skill contains no executable components that could trigger these reads. The canonical canary integrity check confirms files were not modified. Accesses are consistent with the audit framework's periodic canary verification behavior.

INFO External Service URLs Present — No Active Exfiltration -5

The skill content references klicbot.nl and a WhatsApp number. These are presented as referral destinations for users, not as endpoints for agent-initiated data transmission. No fetch, POST, or encoding instructions were found.