Is kuns9/upbit-market-data-skill safe?

https://github.com/openclaw/skills/tree/main/skills/kuns9/upbit-market-data-skill

89
SAFE

This is a legitimate Node.js CLI tool for fetching cryptocurrency market data from Upbit exchange API. The code is well-structured with no evidence of malicious behavior, though it requires API credentials and makes external network requests as expected for its functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

INFO Canary file access detected -10

Sensitive canary files (.env, SSH keys, AWS credentials) were accessed during audit period, but timestamp analysis shows this occurred before skill installation, indicating monitoring system activity

LOW API credential requirement -7

Skill requires Upbit API credentials (accessKey/secretKey) for authenticated operations, which could be misused if system is compromised, though no evidence of credential misuse in code

INFO Sensitive file monitoring alerts -10

Monitoring detected access to honeypot files, but files remained intact and timing suggests system-level activity rather than skill-induced access

LOW External API dependencies -5

Skill makes network requests to cryptocurrency exchange API, which is expected behavior but creates external dependencies