Is arthbhalodiya/jules-api safe?

https://github.com/openclaw/skills/tree/main/skills/arthbhalodiya/jules-api

86
SAFE

The arthbhalodiya/jules-api skill is a straightforward wrapper for the Google Jules REST API with no prompt injection, no malware, and a clean install that only contacted github.com. The skill itself is not malicious, but its intended functionality carries significant second-order risk: it gives an LLM agent the ability to orchestrate Jules — a second autonomous AI coding agent — to write and merge code on connected GitHub repositories, with an AUTO_CREATE_PR mode that bypasses all human approval. A minor shell injection risk exists in the jules.sh parameter handling for SOURCE_ID and BRANCH.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

HIGH AI-to-AI code execution delegation with write access to GitHub repos -35

This skill enables an LLM agent to create Jules sessions that autonomously write code, fix bugs, add tests, and merge pull requests on connected GitHub repositories. If the host agent is manipulated via prompt injection from any source (malicious issue body, README, third-party API response, another skill), the Jules skill provides a ready primitive to commit arbitrary code to production branches without the user realizing a second AI is writing the code.

MEDIUM AUTO_CREATE_PR mode bypasses human plan approval -15

The skill prominently documents and provides a ready-to-use example for automationMode AUTO_CREATE_PR, which skips requirePlanApproval. When an agent uses this mode, Jules will create and potentially auto-merge a pull request with no user review checkpoint between session creation and code landing in the repository.

MEDIUM Shell injection risk in jules.sh SOURCE_ID and BRANCH parameters -22

In the create subcommand of jules.sh, $SOURCE_ID and $BRANCH are interpolated directly into the JSON body string without sanitization or quoting through jq. An agent (or user) passing a value like 'foo","injectedField":"evil' as the source ID could break JSON structure or inject unexpected fields into the API payload. $PROMPT and $TITLE are correctly piped through jq -Rs, but these two parameters are not.

LOW Inherent data egress through Google Jules API -20

Normal, intended use of this skill routes repository content, prompts, code diffs, and task descriptions to Google's Jules API (jules.googleapis.com). This is expected for the skill's purpose, but users should be aware that code and context from their repositories transit Google's infrastructure. This is not malicious behavior but is relevant for sensitive codebases.

INFO Clean install via sparse GitHub checkout 0

The install performed a single sparse-checkout of the openclaw/skills monorepo over HTTPS to github.com. No unexpected network destinations, no background processes, no persistent filesystem changes outside the skill directory.

INFO Canary file reads attributed to audit framework, not skill code 0

Inotify and auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials opened read-only at timestamps 1771648560.436 (pre-clone, during sudo/ss setup) and 1771648583.436 (post-install, during scan teardown). Timing, access mode (CLOSE_NOWRITE), and the clean canary integrity check all indicate these are Oathe framework operations, not skill behavior.