Is apenklit/waste-reminder safe?

https://github.com/openclaw/skills/tree/main/skills/apenklit/waste-reminder

81
SAFE

The waste-reminder skill is a functionally legitimate Python-based reminder utility with no malicious code, no prompt injection in SKILL.md, and no evidence of credential theft or unexpected network exfiltration during installation. Its primary risk profile stems from architectural design choices: the skill instructs the AI agent to act as a messaging proxy (sending WhatsApp/Telegram/Discord/email on its behalf) and requests a persistent 15-minute cron job, creating a recurring execution surface. These are intentional design decisions rather than attacks, but they introduce meaningful abuse potential if a companion skill or local attacker gains write access to the config files.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM Persistent cron job requested every 15 minutes -25

SKILL.md instructs the user (via the AI agent) to register a system cron job that executes waste_cron.py every 15 minutes indefinitely. This creates a persistent execution footprint that survives session boundaries. Any future modification to the script or config silently takes effect without user re-approval.

MEDIUM AI agent delegated as messaging proxy via structured output protocol -20

The skill outputs a machine-readable SEND_TO:/CHANNEL:/message/--- block format that instructs the AI agent to dispatch messages to external contacts. The AI's access to WhatsApp, Telegram, Discord, and email APIs is harnessed as the delivery mechanism. If config.json templates are tampered with — or if a companion skill writes to the config — the AI can be directed to send arbitrary content to any registered contact without further user confirmation.

LOW Config-controlled message templates create indirect prompt injection vector -15

Reminder message templates in config.json (e.g., 'Not confirmed yet - {container_emoji} needs to go out by 7am!') are rendered by the cron script and passed verbatim to the AI. An attacker who can modify config.json could embed prompt injection payloads inside template strings that the AI processes as part of its action context.

LOW Plaintext contact data stored in workspace config -10

The skill stores personal phone numbers (WhatsApp), Telegram chat IDs, and Discord webhook URLs in plaintext JSON files. Any process or skill with read access to the workspace directory can harvest this contact list.

LOW Executable Python scripts installed to workspace -10

Two Python scripts are installed and intended to run under the user's account. While the code itself is clean, the scripts' presence creates an execution surface. The cron invocation path is absolute and world-readable.

INFO Installation clones from public GitHub monorepo via sparse-checkout 0

The install process performs a shallow git clone of the full openclaw/skills monorepo then uses sparse-checkout to extract only the waste-reminder subdirectory. This is consistent with the documented clawhub install pattern and fetches only the expected files.

INFO Canary file reads attributed to audit infrastructure, not skill code 0

Accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials appear at pre-clone (1771649302) and post-teardown (1771649324) timestamps. The skill Python code has no mechanism to access these paths. Audit reports all canary files intact.