Is mahalbangetid-beep/ourproject-openclaw-skill safe?

https://github.com/openclaw/skills/tree/main/skills/mahalbangetid-beep/ourproject-openclaw-skill

87
SAFE

The ourproject-openclaw-skill is a legitimate SaaS integration for ourproject.app that enables agents to query projects, tasks, finances, CRM, and notifications via a set of clean, readable Node.js scripts. Static code analysis and runtime monitoring found no malicious instructions, prompt injection, unauthorized credential access, or unexpected network behavior attributable to the skill — the sensitive credential file reads in monitoring logs are timing-corroborated to the harness's own baseline and post-install canary scans. The principal risks are standard third-party integration concerns: sensitive business data (including financial records and CRM contacts) is transmitted to an external API, the API key is stored in plaintext, and the generic api.js tool grants broad authenticated write access to the workspace.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (10)

INFO Skill instructs agent to execute node scripts -5

SKILL.md directs the agent to run 'node scripts/*.js' for each user query type. This is the standard mechanism for script-based skills and carries no malicious intent, but it expands the agent's command execution surface by running local Node.js processes on the user's machine.

LOW User sensitive business data transmitted to third-party API -12

All functional scripts send authenticated GET requests to api.ourproject.app, transmitting the user's financial balances, income/expense records, CRM client data, project details, and notification content to a third-party server operated by the skill author. While expected for an integration skill, this represents inherent data exposure.

LOW API key stored in plaintext config file -7

setup.js writes the ourproject.app API key directly into .config.json as a plaintext JSON value. Any process with filesystem read access to the skill directory — including other installed skills — can extract this credential without authentication.

LOW API base URL configurable without hostname validation -3

setup.js accepts a user-provided API URL and stores it without validating that it points to ourproject.app. All scripts use this URL verbatim to construct HTTPS requests with the Bearer token. A user tricked into providing a malicious URL would expose their API key and all workspace data to an attacker-controlled host.

LOW Executable JavaScript files designed to run on user machine -10

The skill ships 10 JavaScript files intended to be executed via node by the agent. All code is readable, unobfuscated, and consistent with documented behavior. However, executing local scripts is an inherent risk vector for script-based skills.

LOW Generic API CLI client allows arbitrary authenticated write requests -10

api.js, when executed directly, accepts an HTTP method, endpoint path, and optional JSON body as command-line arguments and sends an authenticated request to the configured base URL. The SKILL.md explicitly documents POST /notes usage, meaning the agent can create and modify workspace data, not just read it.

INFO Clean installation from GitHub only 0

The entire install process involved a single git sparse-checkout from github.com. No connections to unexpected external hosts were made, no new persistent network connections were established, and all filesystem modifications were confined to the skill's target directory.

INFO Credential file reads attributed to monitoring harness, not skill code -5

inotify and auditd logs show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at two timestamps. First batch at 1771917649.716 coincides with monitoring harness setup (ss -tunap was the most recent EXECVE). Second batch at 1771917672.699 occurs after all skill analysis commands completed and before the next sshd reconnect — consistent with post-install canary scan. No EXECVE events from skill scripts correlate with either batch. Skill JS code contains no paths to system credential locations.

LOW Broad sensitive data access creates third-party supply-chain dependency -12

In normal operation the skill continuously fetches financial balances, monthly income/expense, CRM client records, and project details from ourproject.app. A compromise of the ourproject.app platform, a change in its ownership, or a malicious operator would grant full visibility into the user's business workspace with no user awareness.

LOW Plaintext API key vulnerable to cross-skill credential theft -8

The ourproject.app API key in .config.json can be read by any co-installed skill running in the same agent environment that has filesystem access. A malicious skill could silently exfiltrate this credential to gain persistent access to the user's ourproject.app workspace independent of the skill.