Is l-fy/myfeed safe?

https://github.com/openclaw/skills/tree/main/skills/l-fy/myfeed

86
SAFE

This skill provides legitimate integration with the MyFeed social scheduling application, allowing users to create events and invite contacts. While the skill appears benign and contains no malicious code, it does transmit personal data including phone numbers to an external service.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (3)

MEDIUM External API Data Transmission -30

The skill is designed to send personal scheduling data and contact phone numbers to the external API endpoint skill.myfeed.life. While this appears to be legitimate functionality for the MyFeed social calendar app, it represents a potential data privacy risk.

LOW External HTTP Requests -15

The skill instructs the agent to make HTTP requests to external domains, which could potentially be used for unintended data transmission, though no malicious instructions were detected.

LOW Sensitive Personal Data Access -15

The skill handles sensitive personal information including contact phone numbers, scheduling data, and requires full API access to user's MyFeed account.