Is matt998759/ned-analytics safe?

https://github.com/openclaw/skills/tree/main/skills/matt998759/ned-analytics

93
SAFE

This skill appears to be a legitimate Shopify analytics tool that queries the Ned API service. It contains standard API client functionality with proper error handling and no obvious security vulnerabilities or malicious behavior.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

MEDIUM External API requests with credentials -20

The skill makes HTTP requests to api.meetned.com with user's API key. While this appears to be legitimate functionality, it does transmit user credentials to external endpoints.

LOW Contains executable shell script -5

The skill includes a bash script that could be executed by the agent. The script appears benign and only makes API calls.

LOW API key exposure risk -10

The skill requires storing sensitive API credentials in environment variables, which could potentially be logged or exposed through agent output.