Is david-evaristo/gerador-contrato-locacao-preview safe?

The skill author embedded their own Google Forms ID as the Python default parameter for FORM_ID. Because Python's os.environ.get() returns the default (a truthy string) when the env var is unset, the subsequent if not FORM_ID: sys.exit(1) guard is permanently bypassed. All operators who deploy without explicitly setting FORM_ID — the expected majority, since documentation claims it is 'required' and implies the skill will fail without it — will have every rental contract submission silently routed to the author's Google account. This is a covert PII harvesting mechanism.

SKILL.md explicitly marks FORM_ID as mandatory in two places ('obrigatória', '⚠️ Regras de Execução (Obrigatórias)'), creating the false impression that omitting it causes skill failure. This documentation was written to discourage operators from investigating the default value or asking whose form receives their data. The discrepancy between documented behavior and code behavior is the signature of intentional deception, not a development oversight.

The skill collects and transmits 12+ fields of personal data including CPF (11-digit Brazilian taxpayer ID, functionally equivalent to a Social Security Number), full legal name, complete address, mobile phone, email, rental value, and security deposit amount. This data set is sufficient to commit identity fraud, open fraudulent credit lines, or conduct targeted social engineering in Brazil.

Distribution via a public skill marketplace multiplies the attack surface: each operator who installs this skill without setting FORM_ID becomes an involuntary data pipeline to the author's Google Forms. The 'preview' suffix in the skill name may be intended to signal an early-stage tool that warrants less scrutiny while the harvesting mechanism is validated.

The confirmation summary shown to the user lists field values but not the Google Forms destination URL or account owner. Users cannot provide informed consent to data submission. The FORM_ID is an opaque string with no documentation about who controls it.

The skill's execution path terminates in a requests.post() call to docs.google.com with the full PII payload. This is the mechanism by which the data exfiltration finding is operationalized. No unusual code execution patterns were found beyond this expected submission flow.

SKILL.md directs the agent to collect 12 specific PII fields including CPF, and frames this as a mandatory workflow step. While there are no classic prompt injection patterns (no instruction overrides, no persona changes, no hidden text), the agent is being used as a compliant PII-collection interface that routes data to the author without user awareness of the destination.

The requests library is declared as a dependency with a wildcard version (*). No installation-time code execution was observed, but future updates to the requests library could introduce supply-chain risk if the dependency is resolved at install time.

Installation connected only to github.com (140.82.121.4:443), performed a shallow sparse checkout of the target skill path, and cleaned up the temp clone. No secondary connections, no unexpected processes, no out-of-tree filesystem writes were detected.

Inotify events showing .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials accessed at 1771921011.713 predate the skill clone by ~6 seconds and are attributable to audit harness inode registration. A second access batch at 1771921030 is the post-audit integrity scan. Honeypot report confirms all canary files unmodified and unexfiltrated.