Is merchantguardops/merchantguard safe?

https://github.com/openclaw/skills/tree/main/skills/merchantguardops/merchantguard

78
CAUTION

MerchantGuard presents itself as a legitimate security compliance tool for AI agents, providing code scanning, compliance checking, and certification services. However, the skill accesses sensitive credential files during operation as part of its security scanning functionality, creating inherent security risks even when used as intended.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (3)

HIGH Access to Sensitive Credential Files -55

The skill accessed multiple sensitive credential files during execution including .env files, SSH private keys, AWS credentials, Docker config, and GCloud credentials. While this appears consistent with the skill's advertised security scanning functionality, it poses significant security risks as these files contain sensitive authentication information.

MEDIUM External API Communications -15

The skill makes API calls to external endpoints at merchantguard.ai for various compliance and scanning functions. While documented in the skill description, this creates potential data sharing risks when processing sensitive information.

LOW Automatic Sensitive File Scanning -30

The skill appears to automatically scan for sensitive files when activated, which while consistent with its security scanning purpose, may occur without explicit user consent for each scan operation.