Is catwalksophie/shortcut safe?

https://github.com/openclaw/skills/tree/main/skills/catwalksophie/shortcut

97
SAFE

This is a legitimate Shortcut project management integration that provides comprehensive API wrapper functionality. The code is well-structured and professional with no signs of malicious intent. All security concerns are minor and related to the inherent risks of API integrations.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (2)

MEDIUM Executable shell scripts included -15

The skill contains multiple bash scripts in the scripts/ directory that will be executed by the agent. While these appear to be legitimate Shortcut API wrappers using curl and jq, they represent executable code that could potentially be modified or misused.

LOW API credential handling -10

The skill requires and handles Shortcut API tokens, either from environment variables or config files. While implemented securely, compromised tokens could allow unauthorized access to user's Shortcut workspace.