Is m4vf14/perplexity-search-skill safe?

https://github.com/openclaw/skills/tree/main/skills/m4vf14/perplexity-search-skill

92
SAFE

The perplexity-search skill is a minimal, clean web search wrapper using Python stdlib to call the Perplexity API with a user-supplied API key. No prompt injection, no credential-targeting filesystem access, no install hooks, no unexpected network connections during install, and all honeypot canary files remain intact and unmodified. The sole substantive concern is inherent to its purpose: all search queries are transmitted to and logged by Perplexity as a third-party service, which users should factor into how they use this skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 87/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

LOW All search queries transmitted to Perplexity (third-party logging) -12

Every search query issued through this skill is sent verbatim over HTTPS to api.perplexity.ai. This is the core function and not malicious, but Perplexity logs all API queries under their terms of service. Users should treat this identically to any commercial search API and avoid passing confidential, personally identifying, or sensitive business information as query strings.

LOW Executable Python script bundled in skill -13

scripts/search.py is a live executable that the agent runtime will invoke. Current code is clean (stdlib only, no shell execution), but any future update to this script—if the skill auto-updates from the openclaw/skills monorepo—could introduce malicious behavior without user review. Users should pin to a specific commit hash or version.

INFO Self-issued security audit carries no independent weight -5

The skill bundles SECURITY_AUDIT.md claiming a full security review was completed and signed off by 'OpenClaw AI Assistant'. This is self-certification by the same AI toolchain used to develop the skill. It provides no independent assurance and should be disregarded entirely in trust assessments.

INFO Author local filesystem path exposed in PUBLISHING.md -3

PUBLISHING.md hardcodes the developer's macOS home directory path, revealing their username (craigmilligan) and workspace layout. This is confined to documentation and has no runtime security impact, but contributes minor background context about the developer environment.

INFO Pre-existing Ubuntu infrastructure connections present during monitoring window -5

Connections to 91.189.91.48:443 and 185.125.188.57:443 (Canonical Ubuntu servers) were established before the skill install began and are standard for Ubuntu cloud VMs (update infrastructure). They were fully absent in the post-install connection snapshot, confirming the skill did not create or use them.