Is chordlini/localsend safe?

The skill instructs the agent to start the receiver with the -y flag and advertises 'Auto-accept: ON' in its confirmation message. Any device on the local network running the LocalSend app can push arbitrary files to ~/incoming/ without any per-transfer user prompt. This runs as a background process for the full duration the user has the receiver active, requiring no further user interaction for each incoming transfer.

After receiving any archive or build artifact, the skill immediately surfaces a 'Deploy' action button to the user. A malicious actor sharing the same local network could push a crafted archive; the agent would auto-accept it (due to -y) and then prompt the user to deploy. If the user confirms, the agent would extract and run the received content. This turns the file-receive workflow into an indirect remote code execution vector requiring only LAN adjacency.

The receive subcommand starts a TLS server on port 53317 (with automatic fallback to 53318/53319) that any LocalSend-capable LAN device can reach. Per the LocalSend v2 protocol (documented in references/protocol.md), clients do not verify the server's self-signed certificate. The server is fully reachable without authentication beyond device discovery for the lifetime of the receive session.

While the receiver is active, the skill directs the agent to poll the save directory every 2-3 seconds, diff the file list, read metadata for each new arrival, and automatically present type-specific actions. This creates a long-running background loop with continuous filesystem access and automated response logic that executes without further user instruction.

The skill's main menu activates on the phrases 'localsend', 'send files', 'receive files', or 'similar'. These overlap heavily with common conversational phrases a user might say in unrelated contexts (e.g., 'I need to send files via email' or 'I want to receive files from Dropbox'). Unintended activation could silently start device discovery or open a background receiver.

The skill embeds an inline Python3 command for parsing JSON device output from localsend-cli. The code is benign (iterates JSON array, prints alias/ip/deviceType). However, inline shell script patterns in skill files create a foothold for supply-chain modification: if the skill's SKILL.md were altered in a future version, this pattern could deliver malicious commands.

Six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read during the monitoring window. Critically, the inotify and auditd timestamps (1771653858) pre-date the git clone by ~5 seconds (1771653863), and the reads were CLOSE_NOWRITE — consistent with the audit monitoring infrastructure probing for baseline access rather than any skill activity. File contents were not modified and no exfiltration was detected in network captures.

The installation process performed a sparse git clone from github.com only. Network capture shows a single TCP connection to 140.82.121.4:443 (GitHub). No unexpected processes were launched, no filesystem changes occurred outside the skill directory, and the connection state before and after install is identical (no new listening ports).