Is marcopesani/bitrefill-website safe?

https://github.com/openclaw/skills/tree/main/skills/marcopesani/bitrefill-website

86
SAFE

The bitrefill-website skill is a pure-markdown agent helper for Bitrefill shopping tasks. It contains no executable code, no prompt injection payloads, and no credential-harvesting instructions; all canary files remained intact. The primary concerns are an unverified author identity (personal namespace 'marcopesani' claiming official 'bitrefill' authorship), a recommendation to register an external HTTP MCP endpoint that extends the agent's runtime trust boundary, and inherent financial transaction risk from cryptocurrency purchase enablement.

Category Scores

Prompt Injection 77/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM External MCP server registration instructed -23

SKILL.md explicitly instructs the agent (and users) to add https://api.bitrefill.com/mcp as an HTTP-transport MCP server via 'claude mcp add'. Adding external MCP endpoints introduces a supply-chain trust boundary: if that endpoint were ever compromised or replaced, it could inject arbitrary tool definitions into the agent's capability set at runtime.

MEDIUM Author/owner identity mismatch suggests unofficial brand impersonation -18

The skill's directory owner is 'marcopesani' (a personal GitHub namespace) but the SKILL.md frontmatter declares author as 'bitrefill', implying official origin. There is no evidence this is a verified Bitrefill employee account. Users may install this believing it is the official Bitrefill-published skill.

LOW Financial transaction capability with cryptocurrency -7

The skill enables the agent to assist with purchasing gift cards and mobile top-ups using Bitcoin/Lightning or card payments. An agent with this skill active during a malicious prompt-injection scenario could be directed to complete unauthorized purchases on behalf of a logged-in user.

LOW Browser session access via Chrome DevTools -15

The skill authorizes use of Chrome DevTools for visual flows including login and account creation. This gives the agent access to browser session state (cookies, tokens) that could leak if combined with a malicious co-installed skill.

INFO No executable code — pure markdown skill 0

The skill contains only .md reference files and a _meta.json descriptor. No npm scripts, shell scripts, git hooks, or executable code of any kind were found.

INFO Clean install — no unexpected network or filesystem activity 0

The git sparse-checkout clone connected only to github.com (140.82.121.4:443). No connections to bitrefill.com, no DNS queries to third parties, and no filesystem writes outside the designated skill directory were observed during installation.

INFO All canary files intact 0

Honeypot credential files (.env, id_rsa, AWS credentials, npmrc, Docker config, GCP credentials) were not read or exfiltrated by the skill. Filesystem access events to these paths are attributable to the audit scaffold (pre-clone setup and post-clone canary verification), not to skill content.