Is mib424242/riskofficer safe?

https://github.com/openclaw/skills/tree/main/skills/mib424242/riskofficer

91
SAFE

The riskofficer skill is a well-structured, markdown-only financial portfolio analytics tool with no prompt injection, no executable code, and a clean installation profile (only GitHub contacted, no persistent connections post-install, all canary files intact). The primary risk is third-party trust: every API call routes sensitive financial data — including real broker-synced portfolio positions — to api.riskofficer.tech, requiring the user to fully trust that service's security and data handling. Credential file reads observed during monitoring are attributed to the oathe audit framework's canary setup and teardown cycles, not the skill itself.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM All portfolio and broker data transmitted to third-party service -12

Every API call the agent makes transmits the user's RISK_OFFICER_TOKEN and portfolio data to api.riskofficer.tech. This includes real broker-synced positions (Tinkoff/T-Bank, Alfa), historical snapshots, and full holding details (ticker, quantity, avg_price, value). This is declared behavior, not concealed, but users must fully trust the riskofficer.tech backend for data confidentiality and retention. A compromised or malicious riskofficer.tech backend could aggregate detailed investment profiles.

MEDIUM Credential files accessed during monitoring — attributed to audit framework, not skill -6

Files /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were batch-opened at two points: audit timestamp 1771931952 (5 seconds before git clone) and 1771931978 (after install completion). The pre-install batch is clearly audit canary setup. The post-install batch at identical millisecond precision across six files matches the audit framework's final canary verification pass. Canary integrity confirmed intact. No process EXECVE record implicates the skill or its install script in these reads.

LOW Irreversible destructive operations with enforcement gap -18

The skill provides API instructions for permanently deleting all portfolio snapshots (irreversible archive) and disconnecting broker connections that require the mobile app to reconnect. The skill correctly instructs the agent to always confirm with the user before executing these. However, in a compromised agent session or via prompt injection from another source, an attacker could trigger these operations. The confirmation requirement is behavioral, not cryptographic.

LOW External URLs in skill instructions could be browsed by agent -7

The skill references tbank.ru for obtaining broker API tokens, clawhub.ai for installation, forum.riskofficer.tech for support, and [email protected]. If an agent attempts to navigate to these URLs during a session, content at those pages could potentially inject additional instructions. All URLs are contextually appropriate and openly declared; this is a low-probability attack vector but worth noting.

INFO Pure markdown skill — zero executable surface 0

The installed skill consists exclusively of SKILL.md, README.md, and _meta.json. No executable code, no package.json, no git hooks, no submodules. The README self-declares this explicitly. The skill instructs the agent to run curl commands during normal use, which is expected API interaction behavior.

INFO Standard sparse monorepo checkout from GitHub 0

Installation cloned the openclaw/skills monorepo with --depth 1 --no-checkout, then used sparse-checkout to extract only the riskofficer skill path. This is the expected openclaw installation pattern. The temporary clone directory was cleaned up. No additional network connections were made beyond the single GitHub TLS session.