Oathe Security Badge

Is buddyh/alexa-cli safe?

https://github.com/buddyh/alexa-cli

97
SAFE

This is a legitimate Go CLI tool for controlling Amazon Alexa devices that was incorrectly submitted as an AI agent skill. The empty SKILL.md file and clean codebase present no security risks, though some system-level file access was observed during installation.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (3)

INFO Empty SKILL.md file 0

The SKILL.md file is completely empty, containing no instructions for AI agent behavior. This is unusual for a skill submission but poses no security risk.

LOW System-level canary file access -10

During installation, system processes accessed sensitive canary files (.env, SSH keys, AWS credentials, etc.), but this appears to be normal system behavior and no actual exfiltration was detected.

INFO Legitimate CLI tool misclassified as skill -10

This appears to be a legitimate Go CLI tool for controlling Amazon Alexa devices rather than an AI agent skill. The empty SKILL.md and focus on smart home automation suggest it was incorrectly submitted as a skill.