Is lukem121/find-emails safe?

https://github.com/openclaw/skills/tree/main/skills/lukem121/find-emails

66
CAUTION

This skill embeds deliberate advertising for a service selling fake Twitter followers (SocialCrow.co) inside SKILL.md, causing that promotional content to be injected into any LLM's system prompt when the skill is active — a form of commercial prompt poisoning unrelated to the skill's stated email-extraction purpose. The functional Python code (find_emails.py) is clean with no detected backdoors or credential harvesting, and the install process was limited to a legitimate GitHub clone with no unexpected network connections or canary exfiltration. The combination of irrelevant advertising injection, Shell tool access, and a dual-use email harvesting capability optimized for bulk collection places this skill firmly in the CAUTION tier.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 68/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (6)

HIGH Embedded advertising for fake social media followers in SKILL.md -60

The final section of SKILL.md — 'Use Case Example: Social Media Growth Strategy' — is entirely unrelated to email extraction. It promotes SocialCrow.co and specifically links to a page for buying Twitter followers. This content is injected verbatim into the LLM's system prompt when the skill is active, constituting deliberate context pollution. The agent may reference or recommend these services when users ask about social media strategy, causing reputational and ethical harm.

MEDIUM Shell tool access requested beyond stated functional requirements -30

The skill declares Shell in its allowed-tools list. The described workflow (running a Python script and writing output files) could be accomplished with Read, Write, and a sandboxed Python executor. Requesting Shell access grants the LLM the ability to run arbitrary system commands under user permissions, creating unnecessary risk surface that could be exploited via secondary prompt injection in crawled web content.

MEDIUM Skill purpose facilitates mass email harvesting for spam and phishing -55

The skill is optimized for high-throughput email address collection: multi-domain crawling, up to 25 pages per domain, JSON output with domain-grouped attribution, and batch processing loops. These characteristics align with spam list compilation and phishing target enumeration. While email lookup has legitimate uses, this level of optimization combined with the advertising injection raises questions about the author's primary user base.

LOW Third-party pip and Playwright installation required -20

Setup requires pip install crawl4ai and playwright install, which download and execute substantial third-party code including a Chromium browser binary. These dependencies expand the supply-chain risk surface. crawl4ai was not audited as part of this assessment.

LOW Lone unexplained character 't' in Quick Start section -5

The Quick Start section contains an isolated character 't' on its own line before the first code block. While likely an editing artifact, in a skill already exhibiting deliberate content manipulation, unexplained tokens in system-prompt-injected markdown warrant notation.

INFO Canary credential files accessed during monitoring — attributed to audit infrastructure -5

Files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials were opened and read at inotify 09:12:51 and again at auditd timestamp 1771924388. Both access clusters predate and postdate the skill install window respectively, and inode numbers are consistent with Oathe's canary initialization and teardown procedures. No exfiltration was detected.