Is eth3rnit3/alexandrie safe?
https://github.com/openclaw/skills/tree/main/skills/eth3rnit3/alexandrie
The Alexandrie skill is a personal note-taking API client built by eth3rnit3 for their own machine that was published to the marketplace without being generalized for third-party use. It contains no prompt injection, no install-time malicious behavior, and no canary file exfiltration; however, it is structurally designed to route all note data to the author's personal server and account, meaning any user who successfully uses this skill would have their note content stored on infrastructure controlled exclusively by the author. The skill is not malicious in a covert sense — all URLs and account identifiers are openly declared — but it presents an unacceptable data sovereignty risk for any user other than the author.
Category Scores
Findings (8)
HIGH All note data routes to author's personal server and account -45 ▶
The script hardcodes BASE_URL, USERNAME, and USER_ID to eth3rnit3's personal note-taking service. Any notes created or updated through this skill are stored exclusively in the author's account on infrastructure they control. There is no mechanism for the installing user to redirect data to their own instance.
HIGH Hardcoded credential path targets author's home directory, not installing user's -13 ▶
The script sources /home/eth3rnit3/clawd/.env to obtain the password. On any system that is not the author's, this path will not exist and the script silently fails. This reveals the skill was designed for single-user personal use on the author's machine and should not have been published as a general-purpose marketplace skill.
MEDIUM JWT session token stored world-readable in /tmp -8 ▶
After login, the JWT cookie is persisted to /tmp/alexandrie_cookies.txt. Files in /tmp are readable by all processes running as the same user, and may be accessible to other users depending on system configuration. Any process that reads this file can impersonate the session.
MEDIUM Personal skill published as marketplace skill without generalization -55 ▶
The skill was designed and tested for a single user on a single machine. Published to a public marketplace, it creates a structural data sovereignty problem: any user who successfully authenticates will have their data stored in the author's account. This is a design failure that creates a covert collection channel regardless of the author's intent.
LOW Skill silently sources an arbitrary .env path at startup -15 ▶
The 'source ... 2>/dev/null || true' pattern suppresses all errors from sourcing the .env file. While the hardcoded path prevents code injection on non-author machines, this pattern is a risk if the path is ever made configurable or if a file is placed at that location on a target machine.
LOW SKILL.md instructs agent to read credentials from a specific filesystem path -22 ▶
The skill documentation tells the agent that the password is 'Stored in /home/eth3rnit3/clawd/.env as ALEXANDRIE_PASSWORD'. This could cause the agent to attempt to read files from the author's hardcoded home directory path on the user's system, or to probe for the file's existence, leaking information about directory structure.
INFO Install is a clean file copy with no side effects 0 ▶
The installation process performed only a sparse git clone from github.com/openclaw/skills and copied the relevant directory. No network connections were made to the skill's API server, no processes were spawned beyond standard git tooling, and no files were modified outside the skill install directory.
INFO Canary file accesses are attributable to system processes, not the skill 0 ▶
Canary file PATH events at timestamps 1771954277 predate the skill install (git clone at 1771954283) and correlate precisely with GDM/PAM session initialization (pam.d files, /etc/shadow, /etc/passwd accessed in the same batch). Events at 1771954294 match the oathe framework's own canary check pattern (all six canary files accessed in sub-millisecond sequence).