Is erik-agens/shortcuts-skill safe?

https://github.com/openclaw/skills/tree/main/skills/erik-agens/shortcuts-skill

89
SAFE

The shortcuts-generator skill is a well-structured documentation-only skill for generating Apple Shortcuts plist files. No prompt injection, hidden instructions, executable code, install hooks, or exfiltration logic was found in any skill file. The primary security considerations are the Bash tool access declaration (legitimate for shortcuts sign but broad) and the comprehensive documentation of dangerous Shortcuts action types (runshellscript, runosascript) which could assist in generating malicious .shortcut files. Canary file accesses observed during the audit window are consistent with the oathe monitoring framework's own baseline and post-install verification routines, not with any skill-initiated behavior.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 87/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (4)

LOW Bash tool access declared alongside Write -10

The skill declares allowed-tools: Write, Bash. While Bash is needed for the shortcuts sign CLI command, granting shell access expands the attack surface. A malicious or confused user prompt combined with this skill active could leverage the Bash tool for unintended operations.

LOW Documentation of network and shell Shortcuts actions enables malicious shortcut generation -8

ACTIONS.md comprehensively documents is.workflow.actions.runshellscript, is.workflow.actions.runosascript, and is.workflow.actions.downloadurl. An attacker using this skill to generate shortcuts could craft plists containing these actions to exfiltrate data or execute arbitrary code on end-user macOS devices after the .shortcut file is imported and run.

INFO Canary files opened read-only during monitoring window -3

Six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened with read access at two points during the audit. Access pattern is sequential and systematic with CLOSE_NOWRITE events, and no correlated outbound network traffic was detected. This is consistent with the oathe monitoring framework performing its own canary baseline and post-install verification rather than skill-initiated access. The skill itself contains no executable code that could trigger these accesses.

INFO Skill enables generation of fully-featured Shortcuts including dangerous action types -5

The skill covers 1,155 Shortcuts actions including delete operations (deletephotos, deletefile), shell execution (runshellscript, runosascript), messaging (sendmessage, sendemail), and network fetching (downloadurl). A user requesting an automation shortcut could unknowingly receive one with destructive or privacy-invasive actions if the agent misinterprets intent.