Is facundolucci/plsreadme safe?

https://github.com/openclaw/skills/tree/main/skills/facundolucci/plsreadme

86
SAFE

The plsreadme skill is a clean, well-scoped markdown-sharing tool with no prompt injection, no malicious code, no suspicious clone behavior, and intact canary files. The primary security concern is inherent to its design: the plsreadme_share_file tool reads and uploads any local file path to an external server with permanent public links and no path restrictions, creating a meaningful exfiltration vector if an agent is manipulated into sharing sensitive files. The third-party npx-based MCP server also introduces supply-chain risk at deployment time.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

HIGH Any-path file upload to external server -25

The plsreadme_share_file tool accepts an arbitrary local file path, reads its contents, and uploads them to plsreadme.com. The skill imposes no path restrictions — there is no sandboxing to a safe directory, no file-type enforcement beyond a suggestion of markdown, and no size limit enforcement at the skill level. An agent manipulated via prompt injection or a malicious user request could use this tool to exfiltrate any readable file.

HIGH Permanent public links — no revocation mechanism -10

The skill explicitly states links are permanent and publicly accessible. Once sensitive content is uploaded (intentionally or not), there is no mechanism to retract it. This amplifies the blast radius of any accidental or manipulated file share.

MEDIUM Third-party npm package executed at runtime via npx -12

The recommended setup runs npx -y plsreadme-mcp which downloads and executes an unversioned npm package from the registry each time. A compromised or updated package could introduce malicious behavior without any change to the skill itself. The -y flag suppresses confirmation prompts.

MEDIUM Remote MCP endpoint transmits content to third-party infrastructure -8

The skill offers an alternative zero-install configuration using a remote MCP endpoint at https://plsreadme.com/mcp. In this mode, all file content is transmitted to and processed by plsreadme.com servers. Users have no visibility into what is logged, retained, or shared by the operator of that endpoint.

LOW No path restriction increases social-engineering attack surface -5

Because the tool accepts any path, a malicious instruction embedded in a document being processed (indirect prompt injection) could redirect the agent to share a sensitive file path instead of the intended document. The skill's description broad trigger phrases ('share a document', 'make this readable') increase the likelihood of inadvertent activation.

INFO Canary file accesses are audit-infrastructure artifacts 0

Filesystem events show canary files (.env, id_rsa, .aws/credentials, etc.) opened at timestamps 1771919557.950 (before clone) and 1771919576.706 (after install). All are CLOSE_NOWRITE opens, consistent with the audit framework's pre/post baseline reads. The skill itself performed no file accesses.