Is mig6671/stepfun-openrouter safe?

https://github.com/openclaw/skills/tree/main/skills/mig6671/stepfun-openrouter

91
SAFE

This skill provides legitimate CLI integration with StepFun AI models via the OpenRouter API. The shell script performs expected API operations and contains no malicious functionality, though it does require API key access for operation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (3)

MEDIUM Executable shell script with network requests -20

The skill contains a bash script that makes HTTP requests to external APIs. While the functionality appears legitimate (OpenRouter API integration), executable scripts pose inherent security considerations.

LOW Environment variable access -10

The shell script reads the OPENROUTER_API_KEY environment variable, which is expected functionality for API authentication but represents credential access.

INFO Standard git clone operations -10

Monitoring detected normal git clone behavior including GitHub connections and standard filesystem access patterns during installation.