Is imamark/publer safe?

https://github.com/openclaw/skills/tree/main/skills/imamark/publer

87
SAFE

The imamark/publer skill is a straightforward Publer API client for scheduling and publishing social media content. The SKILL.md contains no prompt injection, the Python code is clean with no malicious execution patterns, and the install-time monitoring shows only expected GitHub network activity with no canary file exfiltration. The primary concern is the file upload subcommand's acceptance of arbitrary filesystem paths, which could be misused by a compromised or confused agent to upload sensitive files to Publer, though this requires attacker control of the destination workspace. Social media posting also carries inherent irreversibility risk that users should be aware of.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

MEDIUM File upload accepts arbitrary filesystem paths without sanitization -20

The upload subcommand opens any path passed via CLI and sends it to app.publer.com. No validation restricts uploads to image/video files. An agent confused into calling this with a sensitive system path would silently exfiltrate the file's contents to the configured Publer workspace. The attacker must control the Publer account to retrieve the data, limiting practical exploitability, but the vector exists within the skill's normal code path.

MEDIUM Immediate public social media posting with no agent-level confirmation gate -15

The SKILL.md workflow instructs the agent to post immediately upon completing the upload step, with no built-in pause for user confirmation. An agent acting on ambiguous or injected instructions could publish content publicly before the user can review it.

LOW Caption field could be used as covert data channel if agent is compromised -5

The 4000-character text/caption field and SELF_ONLY privacy option could theoretically be chained with filesystem reads to exfiltrate data via Publer post content, requiring a compromised agent and attacker-controlled Publer account.

INFO Executable Python script — clean implementation -10

The skill ships a Python script as intended. Code review shows no eval, exec, subprocess, dynamic imports, shell=True invocations, or obfuscation. Sole dependency is the standard 'requests' library.

INFO Install-time canary file accesses attributable to audit framework -5

Canary files (.env, id_rsa, .aws/credentials, etc.) were opened at 1771905386.848 — 5.5 seconds before the git clone command executed — and again post-install during integrity verification. The Canary Integrity check confirms no files were modified or exfiltrated. These accesses are part of the audit harness, not the skill.