Is iamngoni/inkdrop safe?

https://github.com/openclaw/skills/tree/main/skills/iamngoni/inkdrop

82
SAFE

This Inkdrop integration skill provides legitimate functionality for managing notes via the local Inkdrop HTTP API. However, the included shell script contains multiple command injection vulnerabilities that could be exploited if an attacker can control the input parameters.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (4)

HIGH Command injection in search function -30

The search function uses unsanitized user input ($*) directly in a shell command substitution, allowing potential command injection attacks.

HIGH Python code injection in create/update functions -25

Variables $TITLE and $BODY are directly interpolated into Python code blocks using triple quotes, allowing potential Python code injection if these variables contain malicious content.

MEDIUM Unsafe shell parameter handling -15

Multiple shell script functions use user-provided parameters without proper sanitization or validation, creating potential attack vectors.

LOW Credential requirement for local API -10

Script requires INKDROP_AUTH credentials, but this is for legitimate local Inkdrop API access only.