Is brianlu365ai/x-kindle safe?

https://github.com/openclaw/skills/tree/main/skills/brianlu365ai/x-kindle

86
SAFE

The x-kindle skill is functionally legitimate with clean prompt content, no executable code, and a straightforward installation that made only the expected HTTPS connection to GitHub. The primary security concerns are structural rather than malicious: the skill's required credential storage pattern (Gmail App Password in shared TOOLS.md) creates cross-skill secret exposure, and granting the agent SMTP email-sending capability introduces a meaningful capability that could be abused if the agent is compromised or manipulated. No canary exfiltration, no hidden instructions, and no malicious clone behavior were detected.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

MEDIUM Gmail App Password stored in plaintext shared config file -15

The skill instructs the agent to store the user's Gmail App Password in TOOLS.md, a shared configuration file readable by all co-installed skills. Any malicious skill installed alongside this one gains read access to a valid Gmail credential, which could be used to send phishing emails, access other Google services, or exfiltrate data via SMTP.

MEDIUM Agent granted persistent SMTP email-sending capability -13

The skill requires the agent to configure and use SMTP to send emails from the user's Gmail account. While intended for Kindle delivery, a compromised or adversarially-prompted agent session could redirect SMTP sends to arbitrary recipients with arbitrary content, enabling email-based data exfiltration. The skill provides no guardrails on recipient address validation.

LOW Shared secret store pattern enables cross-skill credential theft -12

The pattern of storing API keys and passwords in a shared TOOLS.md file — while common in multi-skill agent frameworks — creates a single point of credential compromise. Any future skill installed in the same agent environment inherits read access to these secrets, expanding the blast radius of any malicious skill.

LOW Third-party API (fxtwitter.com) introduces content injection risk -15

Tweet content is fetched from api.fxtwitter.com, an unofficial third-party Twitter proxy. If this service is compromised, returns maliciously crafted content, or is used to serve attacker-controlled tweet bodies, that content is embedded directly into an HTML email sent to the user's Kindle. The skill specifies no integrity checking or content validation on the API response.

LOW Unsanitized tweet content embedded in HTML email -15

The HTML email template embeds tweet_text directly as '

{tweet_text}

' with no mention of HTML encoding or sanitization. A tweet containing HTML tags or JavaScript payloads could be forwarded to the Kindle email service unmodified. Depending on the email client used to view the Kindle document, this could result in script execution or content injection.

INFO Canary file reads attributable to monitoring infrastructure, not skill 0

Reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were detected at audit timestamp 1771735092 and again at 1771735112. The git clone of the skill does not begin until 1771735098. The pre-clone reads are the oathe monitoring system establishing baseline canary state; the post-install reads are the post-audit integrity check. No canary files were modified.

INFO Skill contains no executable code 0

Static analysis of all skill files confirms the skill is documentation-only. No JavaScript, TypeScript, Python, shell scripts, Makefiles, or Dockerfiles are present. No git hooks, gitattributes filters, or submodule references were found. The install produced only SKILL.md and _meta.json.