Is michaelasper/kagi safe?

https://github.com/openclaw/skills/tree/main/skills/michaelasper/kagi

92
SAFE

The michaelasper/kagi skill is a clean, single-purpose Kagi API wrapper with no malicious indicators across any audit category. SKILL.md contains no prompt injection patterns, the three bundled Python scripts use only stdlib and connect exclusively to kagi.com, no install hooks or dynamic execution vectors exist, and canary file integrity was confirmed intact throughout the audit session. The only noteworthy items are the inherent third-party data exposure of forwarding search queries to Kagi's servers and the presence of bundled executable Python scripts — both of which are expected, declared behaviors for this class of API integration skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

LOW Search queries and FastGPT prompts transmitted to third-party Kagi servers -10

All queries passed to kagi_search.py and kagi_fastgpt.py are forwarded to kagi.com/api/v0. While this is the declared and expected behavior of a Kagi API wrapper, users should be aware that search terms and FastGPT prompts — potentially including sensitive research topics — will be processed by Kagi's infrastructure and logged under the user's API account balance.

LOW Bundled Python scripts execute directly on host -10

Three Python scripts are invoked on the OpenClaw host without sandboxing. All scripts are clean stdlib-only code with no malicious logic and require explicit agent invocation, but bundled executable code always represents surface area. No install-time execution hooks are present.

INFO KAGI_API_TOKEN read from process environment 0

kagi_client.py reads the Kagi API token from os.environ at runtime. This is correct secret management practice (prefer env vars over hardcoded values), but means the token must exist in the agent's process environment. If the agent environment is broadly scoped or logged, the token is accessible to co-located processes.

INFO Canary file accesses in audit log attributed to oathe framework, not skill 0

The auditd PATH log shows accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at timestamps 1771958124 (pre-clone) and 1771958144 (post-install). Cross-referencing with the EXECVE timeline confirms these originate from the oathe audit system's own baseline integrity checks (sudo pid 1403 at T+0, bash audit script at T+19s), not from any skill code. All canary files confirmed intact.