Is charliedouglas/gousto-meal-picker safe?

https://github.com/openclaw/skills/tree/main/skills/charliedouglas/gousto-meal-picker

78
CAUTION

The gousto-meal-picker skill presents a well-documented, legitimately scoped Gousto API automation with clean SKILL.md content and a clean install process. The primary risk is that the skill's sole executable artifact (gousto-pick.mjs) was not captured by the audit's source scanner due to an .mjs extension gap, leaving its runtime behavior unverified. The skill also stores live OAuth bearer tokens on disk and requires agent-browser access, which meaningfully expands the trust surface beyond what curl-only skills require.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (8)

HIGH Primary executable (gousto-pick.mjs) not captured by audit source scanner -25

The audit's file-collection find command matched *.js but not *.mjs. The script /home/oc-exec/skill-under-test/scripts/gousto-pick.mjs was installed and confirmed in the filesystem diff (SHA256: d44c6d780fb1087988c55ed7d24a31022203b2314dc3c5b32ea9379e9abdf82f) but its content was never read into the audit corpus. All behavioral claims about what endpoints the script contacts, what files it reads, and whether it exfiltrates data are unverified.

HIGH Unreviewed Node.js ESM module is the sole runtime artifact -20

The skill's entire operational logic resides in a single .mjs file that was not reviewed. Without inspecting it, it is impossible to confirm that it limits API calls to production-api.gousto.co.uk, does not read files outside its config directory, does not log or transmit credentials, or does not contain conditional malicious logic triggered at runtime.

MEDIUM OAuth bearer tokens stored in plaintext local file by design -10

The skill's auth flow saves full browser state including v1_oauth_token (Bearer), v1_oauth_refresh, and v1_oauth_expiry cookies to gousto-auth.json. SKILL.md recommends chmod 600 but does not enforce it. Any skill, process, or agent with filesystem read access to the workspace could extract these tokens and impersonate the user's Gousto account.

MEDIUM agent-browser grants unbounded browser access for OAuth refresh -20

The skill instructs the agent to open a live browser session to gousto.co.uk and save its full state. The agent-browser tool is not scoped to a single origin in this skill's invocation. A malicious version could silently navigate to additional sites, harvest cookies from other logged-in sessions, or trigger actions on third-party services using the user's browser identity.

LOW Canary credential files opened during audit session -5

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read during the monitoring window in two separate batches. Temporal analysis strongly attributes both batches to the Oathe audit framework (pre-clone baseline at 1771648757 and post-scan teardown at 1771648776), not to any skill-attributed process. No content was modified or transmitted externally. Noted as a finding due to the access events appearing in evidence.

LOW agent-browser dependency expands agent tool surface beyond stated scope -10

The skill requires the agent-browser binary. While the justification (Gousto WAF blocking curl on auth endpoints) is plausible, requiring browser-level tool access is a meaningful privilege escalation compared to curl-only skills. A malicious skill could abuse this requirement to instruct the agent to perform browser actions on behalf of the user that extend beyond the Gousto domain.

INFO Clean install: single GitHub connection, no persistent state changes 0

The only external network connection during install was the git sparse-checkout clone from github.com (140.82.121.3:443). No new open ports, no new listeners, no DNS lookups for non-GitHub hosts, and no filesystem writes outside the skill install directory were detected. Connection diff shows identical pre/post network state.

INFO No npm install hooks, git hooks, submodules, or symlinks 0

The skill has no package.json (no preinstall/postinstall attack surface), no .gitattributes filter drivers, no .gitmodules pointing to external repositories, and no symlinks that escape the skill directory. The install is a straightforward file copy.