Is chris-clem/dexcom safe?

https://github.com/openclaw/skills/tree/main/skills/chris-clem/dexcom

87
SAFE

The chris-clem/dexcom skill is a legitimate Dexcom CGM glucose monitoring integration that does exactly what it claims. The SKILL.md is clean with no prompt injection, the install clones only from GitHub with no unexpected network activity, and all canary files remain intact. The primary residual risks are the absence of PyPI dependency version pinning (supply chain risk on each invocation), the sensitivity of the health data returned to the agent context, and the requirement to store Dexcom credentials in the agent's environment.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

LOW Runtime PyPI dependency download — no version pinning -28

The inline script metadata specifies pydexcom and fire as dependencies without pinning to specific versions or content hashes. Each invocation of 'uv run glucose.py' will resolve and potentially download updated package versions from PyPI. A compromised future release of either package would execute in the agent's context.

LOW Sensitive health data (PHI) returned to agent context -17

The skill returns real-time glucose readings, trend direction, and timestamps. When injected into an agent's context window or conversation history, this constitutes Protected Health Information (PHI). If the agent logs conversations or passes context to other skills, glucose data and usage patterns could be disclosed.

LOW Dexcom credentials required in agent environment -17

The skill requires DEXCOM_USER and DEXCOM_PASSWORD to be present as environment variables accessible to the agent process. These credentials grant access to the user's real-time health data stream and could be read by other co-installed skills with env access.

INFO Expected outbound connection to GitHub during install 0

The install process performs a sparse clone from github.com/openclaw/skills.git. The connection to 140.82.121.3:443 is GitHub's infrastructure and is expected behavior for this skills registry.

INFO Credential file accesses attributed to audit harness, not skill 0

inotify and auditd records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud credentials being opened at timestamps 1771650486 (pre-install) and 1771650507 (post-audit teardown). These correspond to the audit harness establishing canary baselines and performing final integrity verification. The skill code (glucose.py) was never executed during this audit session and contains no code to access these paths.

INFO Clean SKILL.md — no injection vectors 0

SKILL.md contains only standard Markdown documentation with setup instructions and usage examples. No hidden text, no instruction overrides, no external URL fetching directives, no persona manipulation.