Is lars147/apo-cli safe?

https://github.com/openclaw/skills/tree/main/skills/lars147/apo-cli

91
SAFE

apo-cli is a well-scoped pharmacy product search and cart management skill targeting apohealth.de's public Shopify API. The Python implementation is minimal, uses only stdlib, makes no unexpected network connections, reads no sensitive files, and contains no install hooks or code execution vectors. The sole notable observations are: a public Shopify Storefront token documented (but not exploited) in RESEARCH.md, and canary path accesses in the syscall audit that are attributable to the Oathe monitoring system's own baseline checks rather than the skill. Canary integrity is confirmed clean.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 89/100 · 5%

Findings (5)

LOW Broad keyword triggers may cause unintended activation -7

The skill's trigger list includes generic English and German medical terms (pharmacy, medication, Medikament, health products). In any medical conversation the agent may invoke this skill and surface pharmacy product links unnecessarily.

INFO Public Shopify API token bundled in RESEARCH.md -10

A Shopify Storefront Access Token is documented in RESEARCH.md. It is confirmed publicly visible in the store's page source and carries only read-level storefront permissions (public product/cart API). Not a security risk but unnecessary to include.

INFO Pure stdlib Python, zero external dependencies, no install hooks 0

apo_cli.py uses only Python stdlib (urllib, json, ssl, argparse, webbrowser). pyproject.toml has no preinstall/postinstall scripts. No git hooks, git submodules, or symlinks are present.

INFO No unexpected filesystem changes outside skill directory 0

Filesystem diff confirms only skill-under-test directory was populated. No writes to home directory, no new cron jobs, no shell profile modifications.

LOW Canary paths appear in syscall log but exfiltration not detected -15

Auditd PATH records show canary files accessed post-install; however the timing and batching pattern (all six files at identical timestamps, sequential event IDs, same order as pre-install baseline) is consistent with the Oathe monitoring script's own integrity verification loop. Canary content integrity check is clean. Skill source code contains no file read operations targeting these paths.