Is coyote-git/omnifocus-automation safe?

https://github.com/openclaw/skills/tree/main/skills/coyote-git/omnifocus-automation

84
SAFE

The OmniFocus Automation skill is a macOS-only JXA wrapper for OmniFocus task management that largely matches its stated purpose. No prompt injection vectors were found in SKILL.md, canary files were untouched by the skill itself, and the git clone made only expected connections to GitHub. The primary concerns are a structural AppleScript injection vulnerability where taskId values are interpolated into osascript templates without sanitization, and the use of doShellScript which breaks the JXA sandbox — both are medium-severity issues that could be weaponized only if an attacker already has a separate code injection vector. The skill is low risk in isolation but elevates risk slightly in environments where agents process untrusted task data.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Unsanitized taskId injected into AppleScript templates -18

In the tag, untag, repeat, and unrepeat command handlers, the taskId argument received from the CLI is interpolated directly into multi-line AppleScript strings without any escaping or validation. If an attacker could control the value passed as taskId (e.g., via a crafted OmniFocus task ID obtained through prompt injection or another skill), they could inject arbitrary AppleScript directives executed by osascript on the user's macOS system. OmniFocus IDs are normally alphanumeric so practical exploitability is low, but the structural vulnerability exists.

MEDIUM doShellScript provides full shell access from JXA context -12

The script uses Application.currentApplication().doShellScript() to execute shell commands, breaking out of the JXA sandbox. While used here for a legitimate workaround (JXA bugs with OmniFocus tag APIs), this primitive grants the skill the ability to run arbitrary shell commands on the host system. A malicious input could chain into arbitrary code execution if input sanitization fails.

LOW Shell execution primitive creates indirect credential access risk -10

Although the skill does not directly read sensitive files, the doShellScript capability means that if an attacker could inject a crafted taskId or tag name that survives the partial escaping, they could execute commands like 'cat ~/.aws/credentials' and exfiltrate the output via OmniFocus task notes or other in-band channels accessible to the agent. This is a theoretical risk requiring a separate injection vector.

LOW Incomplete AppleScript escaping for tagName -8

escapeForAppleScript escapes only backslashes and double-quotes. It does not handle all AppleScript string injection scenarios such as line continuation characters or other AppleScript-special sequences. While the shell-level escaping of single-quotes is standard, the AppleScript-level escaping is incomplete for production security use.

INFO Canary file accesses attributable to Oathe audit infrastructure 0

The inotify and auditd PATH records show sensitive credential files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were read at two points: before the clone (Oathe baseline/canary placement) and after install (Oathe final integrity check). No EXECVE events from the skill's own processes correspond to these accesses. The canary integrity check confirms all files are unmodified.

INFO SKILL.md is clean documentation with no injection vectors 0

The SKILL.md file contains only legitimate command documentation for OmniFocus automation. There are no instructions to override system behavior, ignore prior instructions, suppress output, fetch external URLs, assume a persona, or request elevated permissions. The frontmatter is standard and accurate to the skill's function.