Is leo-paz/outlit-sdk safe?

https://github.com/openclaw/skills/tree/main/skills/leo-paz/outlit-sdk

89
SAFE

The outlit-sdk skill is a well-structured, vendor-published integration guide for the Outlit customer analytics SDK with no prompt injection, no executable code, and no exfiltration mechanisms targeting credential files. The principal risks are its routine outbound fetches to the vendor-controlled docs.outlit.ai domain (creating a supply-chain dependency on a third party) and its extensive codebase technology-stack reconnaissance that, while serving legitimate integration purposes, builds commercially sensitive intelligence. Installation monitoring confirmed clean behavior with no unexpected network connections or filesystem writes.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Mandatory Outbound Fetches to Vendor-Controlled Documentation Domain -12

Every major integration decision branches into an explicit instruction to fetch content from docs.outlit.ai (React, Next.js, identity resolution, customer journey, ingest API, etc.). These fetches occur during normal use, not just installation. The vendor's infrastructure observes agent activity signals — which frameworks are being integrated, which auth and billing providers are present. If docs.outlit.ai is compromised or serves adversarial content, the agent would receive and act on those instructions in place of legitimate documentation. The 'Full docs index' URL (docs.outlit.ai/llms.txt) represents an unscoped bulk fetch.

LOW Extensive Technology Stack Reconnaissance Across Codebase -6

The Full Detection phase directs the agent to grep and glob for auth providers (Clerk, NextAuth, Supabase, Auth0, Firebase), billing providers (Stripe, Paddle, Chargebee), analytics tools (PostHog, Amplitude, Mixpanel, Segment), analytics abstraction files in lib/utils/helpers/services, EU/GDPR consent signals, and activation/onboarding route patterns. The skill consolidates this into a summary presented to the user before proceeding. While the data serves legitimate SDK integration, it constitutes deep codebase intelligence that, in combination with other active skills, could be aggregated or leaked.

LOW Third-Party Package Installation Without Integrity Verification -5

The skill instructs the agent to install @outlit/browser, @outlit/node, or the outlit Rust crate using whichever package manager is detected. No checksum, signature, or hash verification step is included. The security posture of these packages is not evaluated by the skill itself and depends entirely on the npm/crates.io registry supply chain.

INFO Full Documentation Index URL Included in Doc URL Map -10

The Doc URL Map includes docs.outlit.ai/llms.txt, labeled as 'Full docs index'. Fetching this URL retrieves a complete listing of all Outlit documentation and could consume substantial context window space. The URL pattern /llms.txt suggests it is specifically formatted for LLM consumption, which is benign in itself but merits awareness.

INFO Clean Installation — No Unexpected Behavior Detected 0

The installation process performed a standard git sparse-checkout from the openclaw/skills monorepo, extracted the skill files to the designated directory, and cleaned up the temporary clone. Network connections were limited to GitHub and Ubuntu infrastructure. No unexpected process spawning, filesystem writes outside the skill directory, or firewall-blocked connection attempts were observed.

INFO All Honeypot Credential Files Intact 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were not modified or exfiltrated. Auditd file access events for these paths at timestamps 1771952999 and 1771953016 match the periodic scan cadence of the Oathe audit system itself rather than skill-triggered access.