Is hpandya3/pocketsmith safe?

https://github.com/openclaw/skills/tree/main/skills/hpandya3/pocketsmith

89
SAFE

The hpandya3/pocketsmith skill is a straightforward Python CLI wrapper around the PocketSmith personal finance API. The code is clean, the SKILL.md contains no injection patterns, installation triggered only expected GitHub network traffic, and all canary honeypot files remained intact. The primary risk is inherent to the skill's purpose: it provides an agent with unfettered read access to a user's complete financial transaction history and, when write-mode is enabled, the ability to silently create or delete financial records without per-operation confirmation.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (7)

LOW Skill provides read access to complete financial transaction history -15

By design, this skill allows listing all transactions across all accounts, categories, and time ranges. Once loaded, an agent can silently retrieve a user's entire financial history without any confirmation step. This is inherent to the skill's stated purpose but users should understand the data exposure surface.

LOW Unexplained .clawhub/lock.json references external skill 'academic-research-hub' -8

The skill directory contains .clawhub/lock.json listing academic-research-hub v0.1.0 as a previously-installed skill. This is most likely a development artifact from the author's environment that was accidentally committed. If the openclaw skill loader processes this file during install, it could trigger installation of a second unaudited skill.

LOW Canary files accessed post-install -5

Audit syscall logs record read access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials after skill installation (timestamps 1771917882, 1771917886). Access pattern is consistent with the oathe audit framework's periodic canary polling. All canary files confirmed intact. However, the access events cannot be definitively attributed solely to the audit framework without full process-to-syscall correlation.

LOW Write operations lack in-agent confirmation step -18

While write operations require POCKETSMITH_ALLOW_WRITES=true, this is a one-time opt-in rather than a per-operation confirmation. Once set, an agent can create, modify, or delete financial transactions silently. Transaction memo/payee fields returned from the API could contain adversarial content that, if rendered back to the agent, could trigger unintended mutations.

INFO SKILL.md is clean documentation with no injection patterns 0

The skill's system prompt content contains only command reference documentation, parameter descriptions, and bash usage examples. No attempts to override agent behavior, suppress output, or redirect agent attention.

INFO Minimal, auditable Python implementation with single dependency 0

Five Python modules totaling under 500 lines. Single runtime dependency (httpx). No subprocess calls, no eval/exec, no file writes, no git hooks. Build backend is standard hatchling. Code is straightforward and fully auditable.

INFO Install traffic limited to GitHub only 0

Git clone of openclaw/skills monorepo with sparse checkout — only the pocketsmith subdirectory was fetched. No additional network connections initiated by the skill itself during installation. Connection diff shows no persistent state changes.