Is alanburchill/translink-cli safe?

https://github.com/openclaw/skills/tree/main/skills/alanburchill/translink-cli

88
SAFE

The translink-cli skill is a documentation-only skill containing no embedded executable code, no prompt injection techniques, and no direct data exfiltration instructions. Its primary security concern is that it fully depends on an unaudited external CLI repository ('traslink-cli-scripts', with a URL typo) and instructs the agent to direct users to install these unreviewed shell scripts if absent — creating a supply-chain trust gap that cannot be resolved without auditing the CLI repo separately. All canary files remained intact and install-time behavior was limited to expected GitHub connections.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Unaudited external CLI scripts not included in audit scope -15

The skill's core functionality depends entirely on a separate external GitHub repository ('traslink-cli-scripts') that was not part of this review. The agent is instructed to invoke these scripts as translink_* shell commands with full access to whatever the executing shell can reach. The actual scripts could read sensitive files, make unauthorized network connections, or exfiltrate data without any indication in the skill documentation.

MEDIUM Prerequisite install prompt creates external script execution social-engineering vector -10

The skill instructs the agent to halt and ask the user to install CLI scripts from an external GitHub repo if they are not present. This places the agent in the role of directing the user to install unreviewed third-party shell scripts, bypassing normal user skepticism. A sophisticated attacker maintaining the CLI repo could push malicious updates post-install.

LOW Typo in prerequisite repository URL ('traslink' vs 'translink') -2

The CLI repository URL references 'traslink-cli-scripts' rather than the expected 'translink-cli-scripts'. This is likely a genuine author typo, but it is an unexplained inconsistency — the skill name, all documentation, and all command names correctly spell 'translink'. At worst this could misdirect users to a differently-named repository or create confusion during installation.

LOW Canary file read-accesses observed during monitoring window -5

Auditd PATH events record read-only accesses to honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) at timestamps before and after the install window. These accesses use CLOSE_NOWRITE inotify flags and are temporally consistent with the oathe audit infrastructure performing pre/post baseline integrity checks rather than skill-initiated access. No modifications were made and the Canary Integrity report confirms all files intact.

INFO Skill contains no embedded executable code 0

All nine skill files are pure markdown documentation or a JSON metadata manifest. No JavaScript, TypeScript, Python, shell scripts, Dockerfiles, or Makefiles are present. No package.json means no npm lifecycle hooks. No .gitattributes, .gitmodules, or .githooks were found.

INFO Skill scope limited to public transit data queries 0

The documented functionality covers only Translink SEQ GTFS public schedule and realtime data. No user credentials, private filesystems, or sensitive APIs are part of the skill's stated scope. The cache directory (~/.openclaw/cache/translink/) holds only public transit data.