Is asabovetech/pocket-ai safe?

https://github.com/openclaw/skills/tree/main/skills/asabovetech/pocket-ai

79
CAUTION

Pocket AI is a legitimate API integration skill for a voice recording/transcription wearable device. It contains no malicious code or prompt injection, but routes all queries through a third-party API (heypocketai.com), includes a JSON injection vulnerability in search.sh, and publishes extensive PII (real names, business entities, financial topics) on a public marketplace. The cross-agent integration instructions expand its effective scope beyond passive search.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (8)

MEDIUM All queries routed to third-party API -13

The skill's core functionality sends natural language queries containing potentially sensitive context to public.heypocketai.com. While this is the intended behavior, the agent will transmit user queries to an external server controlled by a third party. The API returns personal meeting transcripts, action items, and AI-built user profiles.

MEDIUM JSON injection in search.sh via unsanitized query parameter -15

search.sh interpolates the user-supplied query directly into a JSON string within double quotes. A query containing double quotes or backslashes can break the JSON structure, allowing injection of arbitrary JSON fields into the API request. While this is primarily a JSON injection (not shell command injection), it could be used to manipulate API request parameters.

MEDIUM Extensive PII published in public skill marketplace -15

The skill file contains real names (Dylan, Adrienne, Charlene), business entities (Red Run, Acquisition.com), and sensitive topic categories (team restructuring, firing/hiring, family financial planning, trading psychology). This data is published on the public GitHub skills marketplace and will be injected into any agent that installs this skill, regardless of whether they are 'Marc'.

MEDIUM Cross-agent integration instructions expand attack surface -5

The Integration Points section instructs the agent to post meeting decisions to an #operations channel, feed insights to an 'Athena' agent for scheduling, and auto-surface action items to task management systems. These instructions expand the skill's effective scope beyond passive search into active data dissemination across multiple systems.

LOW API key credential read from local filesystem -8

The skill instructs the agent to read an API key from ~/.config/pocket-ai/api_key using command substitution $(cat ...). While this is the expected authentication mechanism, it means the agent will access a credential file and include its contents in HTTP headers sent to the external API.

LOW Executable Python module with CLI entrypoint -10

pocket_api.py contains a PocketAI class with full API client implementation and a main CLI entrypoint. While the code appears clean and functional, it is an executable that makes network requests when run directly.

INFO Clean install with no anomalous behavior -5

The skill installed via standard git sparse checkout. No unexpected network connections, process spawning, or filesystem modifications were detected outside the skill directory. All network activity corresponds to expected GitHub clone operations and system background processes.

INFO All honeypot files remain intact 0

No canary files (.env, SSH keys, AWS credentials, .npmrc, Docker config, GCloud credentials) were accessed or modified during installation or analysis.