Is asoviche/ogment-agentic-cli safe?

https://github.com/openclaw/skills/tree/main/skills/asoviche/ogment-agentic-cli

73
CAUTION

The ogment-agentic-cli skill is a legitimate-concept CLI wrapper for business SaaS integrations, but it introduces significant trust surface through a global npm install of an unaudited package and by routing all business data through Ogment's third-party servers. The skill's SKILL.md contains no prompt injection or hidden malicious instructions, and clone-time monitoring detected no anomalous behavior. The primary risks are supply-chain (npm package integrity) and data-proxy (third-party credential and data handling).

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 45/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (6)

HIGH Global npm install of unaudited package -40

The skill instructs the agent to run 'npm install -g ogment', which installs a globally-available binary from the npm registry. npm packages can contain preinstall and postinstall lifecycle scripts that execute arbitrary code at install time. The ogment package itself is not part of this skill repository and cannot be audited from the evidence provided.

HIGH All business data routed through third-party proxy -22

The ogment CLI acts as a proxy between the user's agent and their SaaS tools (Salesforce, Notion, Slack, databases). All API calls, query results, and record data pass through Ogment's servers. The skill explicitly states 'Credentials never leave Ogment' and 'Each tool call is authenticated, permission-checked, and logged by Ogment', confirming server-side data processing. A compromised or malicious Ogment service could intercept, log, or modify all business data.

MEDIUM OAuth token management by third party -10

The skill directs users to authenticate via 'ogment login' which opens a browser for OAuth. Tokens are managed server-side by Ogment. This creates a persistent credential delegation — Ogment holds tokens that grant access to the user's Salesforce, Notion, Slack, databases, and other connected services.

MEDIUM Broad agent command execution scope -18

The skill instructs the agent to construct and execute shell commands with user-provided parameters interpolated into command strings. The pattern 'ogment call ' allows the agent to build commands with arbitrary content. While the ogment CLI should handle sanitization, a shell injection could occur if the agent improperly quotes arguments.

LOW Potential cross-skill data exfiltration channel -15

If installed alongside other skills that handle sensitive data, the ogment CLI provides a ready-made exfiltration channel. An agent could be socially engineered (via a separate malicious skill's prompt injection) to pipe sensitive data through ogment call to an attacker-controlled server path.

INFO Clean installation with no anomalous behavior -5

The git clone and skill installation produced no unexpected network connections, no filesystem writes outside /tmp, and no suspicious process execution. All observed activity corresponds to standard OS services and the audit monitoring infrastructure.