Is hxy9243/zettel-brainstormer safe?

https://github.com/openclaw/skills/tree/main/skills/hxy9243/zettel-brainstormer

85
SAFE

Zettel Brainstormer is a legitimate Zettelkasten brainstorming skill with clean, well-documented code that matches its stated purpose. No prompt injection, hidden instructions, malicious exfiltration logic, or unexpected install-time behavior was detected. The primary concern is a privacy one inherent to its design: the skill sends user note content to external LLM APIs (Google Gemini and OpenAI), and the developer committed their personal workspace configuration with hardcoded home directory paths — suggesting the skill was exported from a personal workspace with minimal pre-publication hygiene review.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM User notes sent to external third-party LLM APIs by design -20

The core pipeline sends zettelkasten note content — potentially including personal research, private reflections, or confidential material — to external LLM providers (Google Gemini, OpenAI/GPT via OpenRouter). This is the skill's explicit purpose and is documented, but users may not fully appreciate that their notes leave their local system.

LOW Personal developer paths committed to published config -8

config/models.json contains hardcoded paths referencing the developer's personal home directory (/home/kevin/...). This reveals the developer published their personal workspace configuration without scrubbing it — a security hygiene concern suggesting the skill may not have received a thorough pre-publication review.

LOW Intermediate note paths written to world-readable /tmp -5

The pipeline writes a JSON list of discovered note paths to /tmp/paths.json. On a multi-user system, this exposes the user's note graph topology to any local process or user with /tmp access.

INFO Python scripts require agent shell execution -5

The skill requires the agent to execute Python scripts (find_links.py, setup.py) with shell access. This is standard for agentic skills but expands the attack surface if the scripts were malicious. In this case the scripts are well-audited and match their documentation.

INFO Skill chains with obsidian skill and web search skills -10

SKILL.md specifies use of the 'obsidian' skill (if available) to match style, and configures web_search or brave_search for research. If either of those installed skills is malicious, it could influence the output of this skill.

INFO Personal config committed — first-run setup required -3

The committed models.json reflects the developer's personal configuration. New users who don't run setup.py will have their agent attempt to access /home/kevin/... paths, which will silently fail or produce errors. The SKILL.md does require first-run setup but this is a usability and minor security concern.