Is aaronchartier/inkjet safe?

The inkjet print file <path> command, documented explicitly in SKILL.md, allows printing the contents of any locally readable file to a Bluetooth thermal printer. If an agent with filesystem access is directed (via prompt injection or malicious task) to print a sensitive file, credentials could be physically exfiltrated to a printer accessible to an attacker. This is not an exfiltration vulnerability in the skill itself, but a capability that lowers the barrier for physical-medium data leakage.

The inkjet print qr <string> command encodes any string into a printed QR code. A compromised agent could be instructed to encode a secret (API key, token, password) into a QR code and print it. The QR code can then be photographed by a smartphone to recover the data without any network connection being made.

The Multi-Printer Orchestration section explicitly directs the agent to read printer UUIDs and aliases from TOOLS.md or other environment context files. While this is a legitimate configuration pattern, it means the skill trains the agent to treat ambient context files as authoritative sources for device addresses. A malicious TOOLS.md could redirect print jobs to unexpected addresses.

The skill's declared dependencies (pip: inkjet, brew: aaronchartier/tap/inkjet) are external packages outside the scope of this audit. The skill itself contains no executable code, install scripts, git hooks, submodules, or symlinks. The external inkjet package requires a separate supply-chain audit.

Installation made exactly one external network connection: a git clone over HTTPS to 140.82.121.3:443 (github.com). No unexpected process spawning, no persistent listeners created, no filesystem changes outside the skill install directory. DNS queries resolved only github.com.

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json being opened at timestamps 1771651165.* (before install) and 1771651186.* (after install). These are consistent with the oathe audit framework performing pre/post canary baseline hashing. The skill did not trigger these accesses. All canary files remained intact and unmodified.

A sophisticated attacker with the ability to inject prompts into an agent running this skill could chain filesystem reads with inkjet print commands to physically exfiltrate data to a nearby Bluetooth printer with zero network footprint. This bypasses DLP controls and network monitoring entirely. The attack requires: (1) agent has filesystem access, (2) attacker has physical proximity to a Bluetooth printer, (3) agent can be directed to use specific file paths.

The inkjet skill poses no meaningful risk if the agent it is injected into lacks filesystem read access or shell execution capabilities. Its entire risk surface is predicated on the host agent's other permissions. The skill content itself is clean documentation with no malicious instructions.