Is blackstorm/4todo safe?

https://github.com/openclaw/skills/tree/main/skills/blackstorm/4todo

88
SAFE

4todo is a well-structured Eisenhower Matrix todo management skill that integrates with the 4to.do API via HTTPS. The skill contains no executable code, no prompt injection patterns, and no credential harvesting instructions; token handling follows good security practices by favoring environment variable injection over in-prompt secrets. The only noteworthy concern is a UX-motivated output suppression instruction that reduces agent transparency about its own API calls, and a low-probability speculative cross-skill exfiltration vector inherent to any external-write API skill.

Category Scores

Prompt Injection 87/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 86/100 · 5%

Findings (6)

LOW Output suppression instruction reduces agent transparency -13

SKILL.md instructs the agent to avoid mentioning curl, endpoints, headers, API mechanics, JSON payloads, and config patches by default. While framed as a UX preference to avoid overwhelming non-technical users, this systematically reduces the agent's transparency about its own actions. A user cannot easily audit what API calls were made or what data was sent without explicitly asking.

INFO Credential files read during monitoring — attributed to audit system, not skill -12

inotify and auditd logs record open+access on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP ADC at two timestamps. Cross-referencing with process execution, the first batch (1771736382.910) precedes the git clone and aligns with oathe canary initialization. The second batch (1771736402.282) aligns with oathe's post-install canary verification. No skill process is attributable to these reads. Canary integrity verdict confirms no exfiltration.

INFO No executable code — curl usage is declarative documentation 0

The skill contains only markdown documentation files. The curl examples in SKILL.md are guidance for the LLM agent to construct API calls at runtime, not scripts that execute during install. This is the standard pattern for API integration skills.

INFO Clean install from declared monorepo, no lateral movement 0

Installation performed a shallow sparse checkout from openclaw/skills.git over HTTPS, copied only the skill/blackstorm/4todo subtree, and cleaned up the temp clone. No unexpected processes, no writes outside the skill directory, no new listening ports.

INFO All honeypot files intact 0

The monitoring system confirmed all canary files were unmodified and not exfiltrated. File accesses to canary paths are attributable to the oathe audit system itself.

LOW Cross-skill composition risk: todo names as exfiltration channel -14

If a malicious actor combined this skill with a file-reading skill, todo task names could theoretically be used to encode and sync sensitive filesystem data to the 4to.do service. This is a low-probability speculative risk that is not driven by this skill's instructions, but is inherent to any skill that writes user-controlled strings to an external service.