Is mmsneaks11-max/ebay-trading-api safe?

https://github.com/openclaw/skills/tree/main/skills/mmsneaks11-max/ebay-trading-api

88
SAFE

The eBay Trading API skill is a well-structured documentation-only skill (SKILL.md + metadata) with no embedded executable code, no prompt injection attempts, and clean installation behavior. The primary risk is that it directs the agent to execute unaudited external Python scripts in ~/clawd/ebay/ and enables real eBay financial transactions (listings, deletions) without explicit confirmation guardrails documented in the skill. Canary files remained intact and no data exfiltration was detected during the audit.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 94/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

MEDIUM Skill references unaudited external Python scripts -22

SKILL.md instructs the agent to execute Python scripts located at ~/clawd/ebay/ (trading_api.py, comps.py, oauth_setup.py, refresh_token.py, etc.). These scripts are NOT part of the skill package and cannot be security-audited as part of this review. If these scripts are malicious or compromised, the agent would execute them without awareness.

MEDIUM Skill enables real financial transactions without confirmation guardrails -20

The skill enables creation of real eBay listings (AddItem) and deletion of existing listings (EndItem) with real monetary values. The skill documentation does not include instructions for the agent to confirm with the user before executing irreversible financial actions. An agent misinterpreting a user request could create or delete eBay listings unintentionally.

LOW Skill makes agent aware of credential file locations -13

The skill documents the precise filesystem paths for eBay API credentials (~/.env.ebay, ~/clawd/ebay/.tokens.json). While this is necessary for the skill's function, it teaches the agent where sensitive auth material is stored. If the agent is later manipulated via prompt injection from another source, these paths could be leveraged for exfiltration.

LOW OAuth flow delegation to unaudited script -10

The skill instructs the agent to run oauth_setup.py to initialize eBay OAuth tokens. This script is not included in the skill package. If a malicious version of this script were present in ~/clawd/ebay/, it could exfiltrate eBay developer credentials or OAuth tokens during the authentication flow.

INFO Skill content is well-structured documentation with no manipulation 0

SKILL.md contains straightforward eBay Trading API reference documentation. No prompt injection patterns detected: no override instructions, no persona-switching, no hidden content, no requests for elevated permissions beyond stated eBay API scope.

INFO Install behavior is clean and expected 0

The installation process cloned the OpenClaw skills monorepo via sparse checkout, extracted only the target skill path, and cleaned up the temp directory. No unexpected network connections, process spawning, or filesystem side-effects were detected.

INFO Canary files accessed only by audit system and OS background processes 0

Canary file PATH events in the audit log (/.env, /.ssh/id_rsa, /.aws/credentials, /.npmrc, /.docker/config.json, /.config/gcloud/...) occur in a symmetric before-and-after pattern consistent with the Oathe audit system's own canary verification procedure. The mid-install .env access is attributable to Ubuntu's check-new-release daemon (python3.12 process with matching socket activity). No contents were transmitted externally.