Is haseebuchiha/freshbooks-cli safe?

The install spec triggers 'npm install -g @haseebuchiha/freshbooks-cli' from https://npm.pkg.github.com, a personal GitHub Package Registry namespace. This package was NOT installed or inspected during this audit — only the skill definition (SKILL.md) in the git monorepo was cloned and examined. npm packages can execute arbitrary code via preinstall/postinstall/install scripts in package.json. Because the npm installation step was not monitored, any malicious behavior embedded in the package itself would be invisible to this audit.

@haseebuchiha is not affiliated with FreshBooks Inc. The npm package claims to wrap the official @freshbooks/api SDK but this cannot be verified without inspecting the package contents. If the package is malicious, it would have access to FreshBooks OAuth tokens stored at ~/.config/freshbooks-cli/config.json (created on first auth), FRESHBOOKS_CLIENT_ID and FRESHBOOKS_CLIENT_SECRET env vars, and all invoice/client data returned by API calls that flow through the CLI.

The package requires configuring .npmrc to point to npm.pkg.github.com instead of the public registry.npmjs.org. Packages on GitHub Package Registry receive no independent security scanning, no public npm audit coverage, and have no download statistics for community vetting. This is an unusual pattern for a tool claiming to wrap an official SaaS SDK.

Auditd PATH records show a second access to all canary honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at timestamp 1771940632.306 — approximately 1 second after the skill SKILL.md content was read by the audit framework. The oathe canary integrity system reports all files intact with no confirmed exfiltration, and the access pattern is consistent with the audit framework's own post-install canary verification scan. However, the temporal proximity to skill-file reads warrants noting.

If installed alongside other skills or in an agentic workflow, this skill provides a clean documented interface to enumerate all FreshBooks clients and invoices. A sophisticated attacker embedding malicious behavior in the npm package could exfiltrate full client lists, invoice totals, and billing contact details through normal-looking CLI invocations that the agent would execute on user request.

The skill description triggers on 'freshbooks, invoicing, billing, clients, or accounting' — common terms that appear in many business conversations unrelated to FreshBooks specifically. This increases the frequency of skill activation and expands the attack surface if the underlying npm package has malicious behavior.

SKILL.md includes an explicit instruction to confirm with the user before creating invoices or modifying billing data. This reduces the risk of accidental financial mutations but does not mitigate supply-chain risk at the npm layer.

All network connections during the git clone phase resolve to known-good endpoints: GitHub (140.82.112.4) for the monorepo clone, and Ubuntu/Canonical infrastructure for pre-existing background connections. No unexpected outbound connections or DNS queries were observed during the installation window.