Is armysarge/quickbooks-direct safe?

The skill's main JavaScript file (run.js) implements all MCP tool handlers including OAuth flow, token management, QuickBooks API calls, and the local Express callback server. This file was confirmed present via SHA256 hash in the filesystem baseline but its source content was absent from the audit corpus. Without reviewing run.js, no assertion can be made that runtime behavior matches the SKILL.md documentation. This is the single largest audit gap.

Because run.js source code was not captured, it is impossible to confirm the absence of logic that reads sensitive local files (.env, SSH keys, cloud credentials), encodes data, or transmits it to external endpoints during tool initialization or execution. The skill's MCP server pattern (running a persistent Node.js process) means any such logic would execute continuously while the skill is active, not just during tool invocation.

Six honeypot credential files were read at audit timestamp 1771926087, approximately 6 seconds after skill file installation completed. Files accessed: /home/oc-exec/.env, /home/oc-exec/.ssh/id_rsa, /home/oc-exec/.aws/credentials, /home/oc-exec/.npmrc, /home/oc-exec/.docker/config.json, and /home/oc-exec/.config/gcloud/application_default_credentials.json. The audit framework integrity check reports all files unmodified. Absence of 'node run.js' in the process audit and timing alignment with audit pipeline phases both indicate this is likely the Oathe framework's own post-install canary verification. However, with run.js unreviewed, skill-originated reads cannot be fully excluded.

The skill stores QuickBooks OAuth client_id, client_secret, access_token, and refresh_token in plaintext in config.json within the skill directory. While the SKILL.md explicitly acknowledges this risk and recommends mitigations, any co-resident process, skill, or agent with filesystem read access to the skill directory can obtain live QuickBooks API credentials valid for up to 100 days (refresh token lifetime).

The qb_authenticate tool requires QuickBooks app client_id and client_secret to be passed as tool call parameters. This means OAuth application credentials appear in the agent's conversation history and tool call logs, and are visible to any other skill or data source that can influence the agent's context. A prompt injection attack delivered via a QuickBooks entity (customer notes, invoice memo, item description) could instruct the agent to re-emit or forward these credentials.

The qb_query and qb_query_* family of tools accept arbitrary QuickBooks SQL against 24 entity types. This includes Employee (PII and compensation data), TimeActivity (work logs), JournalEntry (general ledger), Deposit, Transfer, and Purchase records. There are no row-level access controls, field-level filtering, or rate limiting enforced in the skill itself beyond QuickBooks API limits. A compromised or prompt-injected agent could exfiltrate a complete financial and personnel dataset in a single qb_batch call.

No package.json was captured during the audit despite the skill explicitly requiring 'npm install' to install axios, express, and open. npm package lifecycle scripts (preinstall, postinstall, install) can execute arbitrary shell commands with the invoking user's privileges during dependency installation. Without reviewing package.json, the presence or absence of malicious install hooks cannot be confirmed.

The qb_send_invoice tool sends a QuickBooks invoice to any email address provided by the agent, with no recipient whitelist, confirmation step, or domain restriction. If the agent is manipulated via prompt injection embedded in QuickBooks data (e.g., a customer's display name or invoice memo containing injection payload), the tool could be used to send financial documents to attacker-controlled addresses or to conduct phishing using legitimate QuickBooks-branded emails.

The qb_batch tool executes multiple create, update, and delete operations atomically. A single malicious batch call could simultaneously create fraudulent customers, generate invoices, record payments, and delete records, making detection and rollback difficult. Combined with the unrestricted query interface, an attacker could read current state, compute a modification plan, and execute it atomically.

The skill's OAuth flow starts a local Express.js server on port 3001. This server is reachable by any process on the local machine. In environments with SSRF vulnerabilities or where other skills can make HTTP requests to localhost, this server could be targeted to capture OAuth authorization codes or to trigger unintended OAuth flows.

All outbound network connections during skill installation were to GitHub (140.82.121.4:443). Standard Ubuntu infrastructure connections (91.189.91.48, 185.125.188.54) present before installation were not present after, consistent with package update checks completing. No connections to skill-specific telemetry, C2, or third-party data collection endpoints were observed.

Complete review of SKILL.md found no instructions to override system prompts, ignore prior instructions, suppress output, encode data, switch personas, or access resources outside the documented QuickBooks API scope. The document structure is consistent with legitimate API integration documentation.