Is latekvo/radon-ai safe?

https://github.com/openclaw/skills/tree/main/skills/latekvo/radon-ai

91
SAFE

The radon-ai skill is a clean documentation-only file describing Radon IDE's MCP server tools for React Native development. It contains no executable code, no prompt injection vectors, no data exfiltration mechanisms, and no supply-chain attack surface beyond two static text files. The only meaningful risks are inherent to the skill's stated purpose: the network inspection tools expose raw HTTP traffic (including auth headers) to the agent, and the screenshot tool exposes app viewport contents. Canary file accesses observed during monitoring correlate to audit infrastructure checkpoints, not skill-induced activity.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 84/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (4)

LOW Network inspector tools expose raw HTTP traffic including auth headers -10

The view_network_logs and view_network_request_details tools return complete request metadata including headers and body. In a React Native app these fields routinely contain Authorization tokens, session cookies, and API keys. Any agent with this skill injected into its context could surface these secrets through normal debugging workflows.

LOW Screenshot tool can capture sensitive UI state -6

view_screenshot captures the full app viewport. If the app displays credentials, PII, or secure content, the agent gains visual access to that data through this tool.

INFO External MCP server and daily-updated knowledge database not auditable from skill file -18

The skill activates tools served by Radon IDE's MCP server process. The server's behavior, what data it sends externally, and whether its daily-updated knowledge database embeds tracking or exfiltration are outside the scope of this static audit. Trust is transitively extended to Software Mansion.

INFO Canary files read before and after install — consistent with audit infrastructure -10

All six canary files were opened atomically at 1771904839.749 (5 seconds before git clone) and again at 1771904862.386 (after installation). The pre-clone access cannot be attributed to the skill. The post-install access matches the audit system's checkpoint pattern. Canary integrity confirmed intact.