Is cuuush/groupme-cli safe?

https://github.com/openclaw/skills/tree/main/skills/cuuush/groupme-cli

78
CAUTION

The cuuush/groupme-cli SKILL.md is clean of prompt injection and the skill package itself contains no executable code — only documentation. However, installation requires running an unaudited external npm package from github.com/cuuush/groupme-cli whose lifecycle scripts were not examined in this audit. Additionally, the skill's core function (bidirectional GroupMe messaging) inherently provides a covert data exfiltration channel usable by any agent that also has filesystem or network access.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

HIGH Unaudited external npm package install -45

The skill's installation procedure clones and executes code from github.com/cuuush/groupme-cli — a separate repository not included in this skill package. npm install on that repo may trigger preinstall/postinstall/prepare lifecycle scripts that execute arbitrary code. The bundled output (dist/groupme-cli.js) is then globally linked. This external code was not examined during this audit.

MEDIUM GroupMe API as covert exfiltration channel -20

The skill provides agent access to send arbitrary messages to GroupMe groups and direct message any user ID. In an agent context where the agent also has file or network access, this creates a covert channel: read sensitive data → send via groupme send/dm. Traffic to api.groupme.com over HTTPS is indistinguishable from legitimate use.

MEDIUM Persistent credential storage -10

The GROUPME_TOKEN is stored persistently at ~/.config/groupme/config.json after groupme config --token is run. This file persists across sessions and could be harvested by other skills or processes with filesystem access.

LOW Message history ingestion expands agent context attack surface -25

Commands groupme read and groupme dm-read inject GroupMe message history into the agent's context window. If those messages contain prompt injection payloads crafted by other GroupMe users, the agent could be manipulated via its own tool output.

LOW Canary files accessed — attributed to audit framework -10

Six sensitive honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at audit timestamps 1771940965 (before git clone at 1771940971) and 1771940985 (after all skill analysis completed). Timing and process context indicate these are audit-framework baseline and integrity-verification operations, not skill activity. Canary integrity check confirms no modifications.

INFO External URL referenced in install instructions -8

SKILL.md references https://github.com/cuuush/groupme-cli and https://esbuild.github.io/. These are documentation URLs, not agent-fetch instructions. No prompt injection via URL embedding detected.