Oathe Security Badge

Is mogglemoss/openclaw-fellow-aiden-skill safe?

https://github.com/mogglemoss/openclaw-fellow-aiden-skill

91
SAFE

This skill appears to be a legitimate OpenClaw integration for controlling Fellow Aiden smart coffee brewers via their API. The Python implementation is straightforward and contains no malicious patterns, though it does require user credentials and makes external API calls as part of its intended functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

LOW Requires user credentials -12

The skill requires FELLOW_EMAIL and FELLOW_PASSWORD environment variables for API authentication. While this is standard for API integrations, it does require users to provide sensitive credentials.

LOW Contains executable Python code -10

The skill includes a Python script (fellow.py) that implements an API client. The code appears legitimate but represents executable content that could theoretically be modified for malicious purposes.

LOW External dependency installation -5

The skill specifies installation of the fellow-aiden Python library via pip. This is standard but introduces external code dependencies.

INFO Third-party API integration -10

The skill integrates with Fellow's external API endpoints. Network activity includes legitimate API calls to Fellow services, which is the intended functionality.