Is konscious0beast/external-ai-integration safe?

https://github.com/openclaw/skills/tree/main/skills/konscious0beast/external-ai-integration

86
SAFE

This skill provides legitimate functionality for integrating with external AI services through browser automation and API calls. While it accesses API tokens and sends data to external services, this aligns with its stated purpose and includes appropriate security warnings.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

MEDIUM API Token Access -20

The skill accesses Hugging Face API tokens from 1Password and filesystem locations (~/.huggingface/token). This is legitimate for the skill's intended functionality but represents sensitive credential access.

MEDIUM Subprocess Usage -15

The skill uses subprocess to execute curl commands and 1Password CLI. While controlled and legitimate for the skill's purpose, this represents code execution capability.

LOW External Data Transmission -10

By design, this skill sends user prompts and data to external AI services (ChatGPT, Claude, Hugging Face). This is the intended functionality but represents potential privacy implications.

LOW Privacy Implications -20

The skill's core functionality involves transmitting user interactions to external AI services, which could raise privacy concerns depending on the sensitivity of the data being processed.