Is mart1n-xyz/bunpro-sync safe?

https://github.com/openclaw/skills/tree/main/skills/mart1n-xyz/bunpro-sync

96
SAFE

This skill is a legitimate utility for syncing Japanese grammar learning progress from Bunpro to local storage. The code is well-documented, performs only the stated functionality, and shows no evidence of malicious behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (5)

INFO API Token Required -5

Skill requires BUNPRO_FRONTEND_API_TOKEN environment variable to access Bunpro API

INFO Executable Python Scripts -5

Skill contains Python scripts that will execute when used

LOW Extensive Documentation -5

Large amount of instructional text that could potentially be misused, though appears legitimate

INFO Network API Access -2

Skill will make network requests to external API during normal operation

INFO Third-party API Integration -5

Skill integrates with external service requiring user authentication