Is daveonkels/clinkding safe?

https://github.com/openclaw/skills/tree/main/skills/daveonkels/clinkding

85
SAFE

clinkding is a legitimate bookmark manager CLI skill with no malicious prompt injection, no hidden content, and a clean install profile. The primary concerns are a prescriptive cross-skill invocation pattern (mandatory summarize skill call on every URL save), a general-purpose file upload command with no path guardrails that could theoretically exfiltrate files, and embedding of the author's personal tag taxonomy as a universal constraint. Post-install reads of honeypot credential files were detected but are most likely attributable to the audit framework's post-install scan rather than the skill itself, consistent with the canary integrity system reporting all files intact.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (8)

MEDIUM Automatic cross-skill invocation of `summarize` without per-action consent -10

The SKILL.md instructs the agent that whenever a user says 'Save this URL', the agent MUST first invoke a separate summarize skill to extract metadata. This is implicit cross-skill chaining: the user consented to install clinkding, not necessarily to have the summarize skill invoked on every URL they share. If the summarize skill is malicious, compromised, or unavailable, this creates unexpected behavior. The chain is not user-configurable within the skill.

MEDIUM Asset upload command allows arbitrary filesystem file upload -12

The skill documents and normalizes the clinkding assets upload <bookmark_id> <local_filepath> command. An agent operating under this skill's instructions could be prompted or confused into uploading files from sensitive paths (e.g., ~/.ssh, ~/.env) as 'attachments' to bookmarks. The skill does not include guardrails against uploading files outside expected directories. The uploaded files would be exfiltrated to the user's linkding server.

LOW Author's personal tag taxonomy enforced globally -8

The skill embeds 263 canonical tags from the author's personal linkding instance (including bookmark counts like 'pinboard (4,987)', 'ifttt (2,639)') and instructs the agent to enforce this as the canonical tag set for all users. The agent is told never to create new tags without explicit user request, privileging the author's historical tag structure over the user's own organization preferences.

LOW Automatic URL fetching via summarize skill on every save -10

Every time the user asks to save a URL, the skill instructs the agent to fetch that URL via the summarize skill before creating the bookmark. The user may not want every URL they save to be fetched server-side (privacy concern), and this creates implicit network activity the user did not explicitly authorize for each individual URL.

LOW Post-install read of canary/credential files (attribution uncertain) -12

Honeypot files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials were opened and read at timestamp 1771933207.042, after the skill install completed. While the canary integrity system reports no exfiltration and the pre-install read at 1771933184 is attributable to the audit baseline scan, the post-install read lacks a clear EXECVE attribution in the available log data. Most likely audit infrastructure but cannot be ruled out as part of install side effects.

LOW Batch archive/delete operations without per-item confirmation -15

The documented batch workflows pipe bookmark list output directly into archive/delete commands. If an agent misinterprets the scope of a user request (e.g., 'clean up old bookmarks'), it could silently archive or delete large numbers of bookmarks. The skill provides no mention of confirmation steps before bulk destructive operations.

INFO No executable code present in skill repository 0

The skill contains only SKILL.md and _meta.json. No JavaScript, Python, shell scripts, git hooks, git submodules, .gitattributes filters, or symlinks were found. The skill requires an external binary (clinkding) to be installed via Homebrew or Go, but the skill itself contains no executable code.

INFO Clean standard install from GitHub monorepo 0

Install used a shallow Git clone of the openclaw/skills monorepo (140.82.121.3 = GitHub), sparse checkout of the target subpath, file copy, and cleanup. No unexpected processes, persistence mechanisms, or network connections were observed.