Is agrublev/freedcamp-agent-skill safe?

https://github.com/openclaw/skills/tree/main/skills/agrublev/freedcamp-agent-skill

89
SAFE

This Freedcamp integration skill appears legitimate and well-documented, providing a dependency-free Node.js CLI for managing tasks, comments, and notifications via the Freedcamp REST API. Installation monitoring shows clean behavior with no canary file access, no unexpected network connections, and no suspicious process execution. The primary gap is that the actual executable source code (freedcamp.mjs, demo.mjs) was not included in the evidence for static analysis, though runtime monitoring provides indirect assurance of benign behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM Executable script source code not available for review -15

The core executable files scripts/freedcamp.mjs and scripts/demo.mjs are listed in the skill file inventory but their source code content was not included in the evidence dump. While monitoring data shows no malicious behavior during installation, the actual runtime code paths cannot be statically verified. The skill could contain conditional logic that only activates when real API credentials are provided.

LOW Unrelated skill reference in lock file -7

The .clawhub/lock.json file contains a reference to 'academic-research-hub' v0.1.0, which is completely unrelated to Freedcamp task management. This is likely a development artifact from a shared workspace but could indicate the skill was built or tested in an environment with other skills installed.

LOW Session token cached on local filesystem -10

The skill caches Freedcamp session tokens at ~/.openclaw/skills/freedcamp-session.json (configurable via FREEDCAMP_SESSION_PATH). While documented and standard practice, this file could be read by other skills or processes to impersonate the user on Freedcamp without needing the original API credentials.

LOW Raw HTML injection via comment --html flag -8

The skill's comment command accepts a --html flag that passes raw HTML directly to the Freedcamp API. If Freedcamp's server-side rendering does not properly sanitize this input, it could enable stored XSS attacks against other project members viewing the comment.

INFO Ambiguous section title 'Common injection patterns' -5

The SKILL.md contains a section titled 'Common injection patterns' which refers to methods of injecting environment variables (shell export, OpenClaw config). While benign in context, the title could cause confusion during automated security scanning.

INFO Clean install with no unexpected behavior 0

Installation consisted solely of a git clone from the OpenClaw skills monorepo. No post-install scripts executed, no unexpected network connections, no filesystem modifications outside the skill directory. All observed network traffic and process execution is attributable to the Oathe monitoring infrastructure and standard OS services.