Is chardigio/copilot-money-mac safe?

https://github.com/openclaw/skills/tree/main/skills/chardigio/copilot-money-mac

78
CAUTION

The copilot-money-mac skill is a legitimately designed, read-only interface to the Copilot Money Mac app's local SQLite and Firestore LevelDB databases, and its installation was completely clean with no unexpected network activity, no malicious code, no prompt injection, and all canary files intact. The core concern is architectural rather than adversarial: the skill is explicitly designed to surface a user's complete financial life — every transaction, balance, investment, and budget — into the LLM context window, where it becomes a high-value target for secondary prompt injection attacks from malicious content encountered by the agent elsewhere. Users should only install this skill if they understand that their full financial history will be transmitted to their LLM provider as part of normal inference, and should not run it alongside skills capable of outbound communication.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

HIGH Skill surfaces user's complete financial history into LLM context -35

The skill's stated and actual purpose is to load a user's entire financial life into the LLM context window: every transaction ever recorded (merchant name, original bank name, amount, date, user notes, pending status), all account daily balance snapshots, all investment holdings with time-weighted return data, budget definitions with category amounts, recurring transaction definitions (rent, subscriptions, utilities), and Amazon order matching data. This data is among the most sensitive personal information that exists. Once in the context window, it can be leaked via secondary prompt injection from any malicious content the agent later encounters — an email, a web page, a calendar invite.

HIGH LevelDB binary extraction via 'strings' is broad and unfiltered -10

Three bash snippets use strings $f 2>/dev/null on all *.ldb binary files in the Firestore cache. The strings command extracts all printable byte sequences from binary files — it is not scoped to any particular collection or field. This may surface Firestore internal keys, partial protobuf structures, user IDs, session tokens, or other data embedded in the binary format beyond what the user intends to expose to the LLM.

MEDIUM High-risk combination: financial data skill plus any communication or HTTP skill -35

This skill is benign in isolation but becomes a potent surveillance tool when loaded alongside any skill that can send email, post to an API, create calendar events, or write files. A sophisticated attacker could craft a phishing email or malicious web page that, when processed by the agent, triggers a chain: invoke copilot-money to retrieve all transactions -> send results to attacker endpoint. The skill provides no output scoping, no confirmation prompts, and no rate-limiting on data volume.

MEDIUM Executable shell commands embedded in SKILL.md will run on user's system -22

SKILL.md contains three bash for-loop blocks and multiple sqlite3 invocations that the agent will execute as shell commands when answering financial queries. While the commands are read-only, the pattern of embedding shell templates in a skill normalizes agent execution of complex shell pipelines (for f in ...; do strings | grep | sort -u), which is an elevated permission footprint compared to structured API calls.

LOW No prompt injection detected; minor chaining risk from command templates -12

SKILL.md contains no instructions to override system prompts, adopt personas, hide output, or escalate permissions. All content is legitimate documentation. The minor deduction reflects that detailed, agent-executable command templates in a skill with access to sensitive data create a higher-than-average surface for secondary injection attacks to hijack.

INFO Clean installation — only expected GitHub traffic observed -12

The git sparse-checkout pulled only the skill directory from the openclaw/skills monorepo over HTTPS to 140.82.121.3 (GitHub). No unexpected network destinations, no post-install persistence, no new listening ports. Connection state before and after install is identical (SSH management session only).

INFO All honeypot files intact — no credential exfiltration during install 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were read at two points: before the git clone (audit timestamp ~1771650451, inotify 05:07:31) and after install completion (audit timestamp ~1771650472). Both windows correspond to the audit orchestrator's own pre- and post-install verification passes. The skill contains no code capable of initiating these reads.