Is dolverin/bring-rezepte safe?

https://github.com/openclaw/skills/tree/main/skills/dolverin/bring-rezepte

83
SAFE

dolverin/bring-rezepte is a legitimate Bring! shopping list integration skill that correctly requires explicit user confirmation before any list mutations. The most significant concerns are: (1) the BRING_NODE_API_PATH environment variable enables arbitrary Node.js module loading that could be exploited via a compromised co-skill or prompt injection, and (2) auditd records unexplained read accesses to all canary files approximately 5 seconds post-install with no corresponding process attribution, though canary integrity was confirmed intact and no exfiltration was detected. Install-time behavior was clean with only the expected GitHub connection observed.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 80/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Arbitrary Node.js Module Loading via BRING_NODE_API_PATH -18

The loadBring() helper in both scripts unconditionally calls require(process.env.BRING_NODE_API_PATH) if that variable is set. An attacker who can influence environment variables — via prompt injection from a compromised recipe page, a malicious co-installed skill, or a poisoned web_search result — could redirect module loading to an arbitrary file on the filesystem and achieve full Node.js code execution within the agent process.

MEDIUM Unexplained Post-Install Canary File Accesses -20

Auditd PATH records at timestamp 1771904630.983 (entries 1456–1461) show read access to all monitored canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) approximately 5 seconds after the skill was installed. No corresponding EXECVE log entry explains which process triggered these reads. The skill JS scripts were never executed (no node process appears in the exec log), and the canary integrity check passed, suggesting these reads originate from the audit framework's post-install verification scan. However, the absence of a clear process attribution makes this impossible to fully exonerate.

LOW Third-Party Recipe URL Content Injection Risk -10

The skill instructs the agent to fetch and parse arbitrary third-party recipe URLs using both the --parse-url flag and web_fetch. Adversarial content embedded in recipe pages (malicious JSON-LD schema, og:image tags containing instruction strings, or recipe description fields) could inject instructions into the agent context that appear to come from parsed recipe data.

LOW Credentials Exposed via Command-Line Arguments -5

Both scripts accept --email and --password as CLI flags as a fallback when environment variables are absent. Credentials supplied this way appear verbatim in /proc//cmdline and are visible to any process with read access to /proc, as well as in shell history and audit logs. The SKILL.md instructs the agent to pass --email/--password explicitly when ENV is not set.

LOW Out-of-Skill-Directory Relative Path in loadBring() Fallback -3

The second fallback in loadBring() resolves '../../node-bring-api/build/bring.js' three levels above the scripts directory (skill root → parent → parent → node-bring-api). This path exits the skill's own directory tree. While intentional for a specific monorepo layout, it assumes a controlled deployment structure and could load unintended code if the skill is placed in an unexpected directory.

INFO web_fetch Framed as Exec-Approval Avoidance -5

SKILL.md twice characterizes web_fetch as preferable specifically because it 'avoids exec approvals'. While technically accurate (web_fetch is a different tool class than shell exec), framing it this way instructs the agent to prefer the path with less user-visible friction rather than the most transparent one.