Is lucassynnott/gamma safe?

https://github.com/openclaw/skills/tree/main/skills/lucassynnott/gamma

88
SAFE

The lucassynnott/gamma skill is a well-constructed, clean Gamma.app API wrapper with no prompt injection, covert exfiltration mechanisms, or malicious code patterns. Installation was clean — only a single expected GitHub connection was made, no honeypot files were compromised, and no suspicious processes were spawned. The primary risk is structural rather than adversarial: by design, user content is transmitted to a third-party service (Gamma.app), and the documentation's $(cat file.md) pattern could cause an agent to inadvertently send sensitive local files to that service.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM User content transmitted to third-party Gamma.app API by design -15

The skill's core function is to send user-supplied or agent-constructed content to public-api.gamma.app. In sensitive environments — enterprise, legal, medical, or personal — this means any document or topic the agent passes to the skill will be transmitted to and processed by Gamma's servers. This is transparent and documented but constitutes a data privacy boundary that users must consciously accept.

LOW Documentation examples show local file reading via $(cat file.md) pattern -7

SKILL.md examples demonstrate passing $(cat pitch.md) as the content argument, which causes the shell to read a local file and interpolate its contents into the API request. An agent following these documentation patterns on a sensitive file path (e.g., a config file or source document) could inadvertently transmit that file's contents to Gamma.app without explicit user awareness.

LOW Shell script executes with user-controlled content passed to external API -12

The gamma.sh script correctly uses printf '%s' | jq -Rs . for content serialization, preventing shell injection in the JSON body. However, optional string flags (--instructions, --tone, --audience) are passed as raw jq --arg values. This is handled safely by jq but represents a surface where sufficiently long or unusual inputs could affect API behavior.

INFO Installation produced only expected GitHub network connection 0

The sparse checkout of skills/lucassynnott/gamma from github.com was the sole external network event during installation. No unexpected DNS lookups, no connections to attacker-controlled infrastructure, and no filesystem modifications outside the designated skill directory were observed.

INFO All honeypot canary files intact — monitoring framework access confirmed benign 0

Canary file accesses (/.env, /.ssh/id_rsa, /.aws/credentials, /.npmrc, /.docker/config.json, /.config/gcloud/application_default_credentials.json) at 09:05:20 precede the git clone by approximately 5 seconds, establishing they are part of the oathe monitoring framework's own setup routine. The monitoring system's integrity report confirms no exfiltration occurred.

LOW No credit rate limiting — potential for Gamma.app credit drain -10

Each generation costs 150–300 credits and the skill has no confirmation prompts or invocation limits. A user or prompt-injected instruction could trigger repeated generation calls, draining the user's Gamma.app credit balance without warning.