Is apetersson/kitchenowl safe?

https://github.com/openclaw/skills/tree/main/skills/apetersson/kitchenowl

88
SAFE

The apetersson/kitchenowl skill is a straightforward CLI wrapper for the KitchenOwl kitchen management application. It contains no prompt injection, hidden code, or exfiltration mechanisms. The primary risk is the pipx installation of a third-party PyPI package (kitchenowl-cli) which inherently executes external code, and the storage of auth credentials in a plaintext config file.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (5)

MEDIUM Third-party PyPI package installation via pipx -20

The skill instructs the agent to run 'pipx install kitchenowl-cli', which downloads and installs a Python package from PyPI. This executes arbitrary Python code from an external source. If the package were compromised, typosquatted, or had malicious install hooks, it could execute arbitrary code on the host system.

LOW Auth credentials stored in plaintext config file -8

The skill documents that access_token, refresh_token, server_url, and user credentials are stored in ~/.config/kitchenowl/config.json. While this is standard CLI behavior and transparently documented, it creates a credential file that other skills or processes could read.

LOW CLI password flags may leak to shell history -8

The auth login command accepts --username and --password flags. If an agent passes credentials via command-line arguments rather than interactive prompts, these could be captured in shell history files, process listings, or audit logs.

INFO Skill includes appropriate safety guardrails 0

The command usage rules section includes good security practices: starting with read-only commands, requiring confirmation for destructive operations, and preferring explicit IDs. This reduces risk of accidental data loss.

INFO Clean clone with no anomalous activity 0

Installation consisted of a simple git clone with no post-install hooks, no unexpected network connections, and no filesystem modifications outside the skill directory. All observed network traffic maps to expected infrastructure (GitHub, Ubuntu repos, DNS).