Is mart1n-xyz/wanikani-sync safe?

https://github.com/openclaw/skills/tree/main/skills/mart1n-xyz/wanikani-sync

91
SAFE

The mart1n-xyz/wanikani-sync skill is a well-scoped, transparently documented Python tool for syncing personal WaniKani SRS learning data from the official API to a local SQLite database. Code review and dynamic monitoring confirm no prompt injection, no unauthorized data exfiltration, no auto-execution vectors, and no suspicious install-time behavior; canary file accesses logged during monitoring are attributable to the oathe audit framework's own pre/post-install integrity checks. The only notable issues are a minor API token CLI exposure risk and a missing dependency manifest, both of which are quality concerns rather than security threats.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (5)

LOW API token exposed via --token CLI flag -10

sync.py accepts the WaniKani API token as a command-line argument via --token. When used, the token appears in shell history, process listings (ps aux), and system audit logs. The SKILL.md documentation acknowledges this is 'less secure' and recommends the environment variable approach, but still provides it as an option. An agent following the SKILL.md examples could inadvertently log the token.

LOW External dependency (requests) required but undeclared in any manifest -10

sync.py imports the third-party 'requests' library but the skill ships no requirements.txt, setup.py, or package.json. There is no automated dependency installation. An agent following the SKILL.md instructions would need 'requests' pre-installed; if absent, execution fails at import time. The missing manifest is a quality issue but not a security threat.

INFO Clean sparse-checkout install with no side effects 0

The install process performed a single-depth git clone of the openclaw/skills monorepo to /tmp/monorepo-clone, ran sparse-checkout to isolate the skill subdirectory, copied files to /home/oc-exec/skill-under-test/, and removed the temp clone. No unexpected network destinations, no filesystem writes outside expected paths, and no lingering processes or connections.

INFO Canary file reads attributable to audit framework, not skill 0

Multiple credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP application_default_credentials.json) were read-accessed at 10:55:37 (5 seconds before the git clone began) and again at 10:56:00 (post-install). Both access windows are consistent with the oathe monitoring system establishing canary baselines before install and performing integrity checks after. All inotify events show CLOSE_NOWRITE (read-only), all canary hashes are confirmed intact, and no corresponding read operations appear in the skill's Python source.

INFO No prompt injection vectors in SKILL.md 0

Complete review of SKILL.md found only standard skill documentation: YAML frontmatter with declared env/bin requirements, usage overview, CLI invocation examples using code blocks, database schema reference, SQL query examples, and a file listing. No hidden unicode characters, HTML comment injection, markdown-rendered invisible text, instruction override language, or persona-switching directives detected.