Is jacobthejacobs/remindme safe?

https://github.com/openclaw/skills/tree/main/skills/jacobthejacobs/remindme

89
SAFE

The jacobthejacobs/remindme skill is a well-structured, pure-markdown reminder utility for the OpenClaw platform with no executable code, no exfiltration instructions, and a clean installation profile. The primary risk is architectural rather than adversarial: reminders execute as agentTurn payloads in isolated sessions, meaning reminder message content becomes an agent instruction at fire-time — a platform-level concern that applies to all cron-based skills. Canary files were untouched and no unexpected network behavior was observed.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

LOW AgentTurn reminder payload executes as agent instruction at fire-time -15

Reminders are delivered via payload.kind='agentTurn', meaning the reminder message string becomes an agent instruction in an isolated session. If a user or co-installed skill can influence the reminder message content, adversarial instructions could be deferred and executed later. The skill itself does not attempt to inject malicious content, but the execution model is inherently prompt-adjacent.

LOW Reminder content delivered to external messaging channels -10

The skill routes reminder text outbound to Telegram, Discord, Slack, WhatsApp, Signal, or iMessage via the OpenClaw delivery API. While this is the skill's intended purpose, reminder messages containing sensitive information typed by the user will transit external third-party platforms.

LOW channel:'last' fallback may deliver to unintended recipient -20

When no explicit channel is configured, the skill falls back to 'channel: last' — the most recent external interaction context. If the user's last channel changes between scheduling and reminder fire-time, the message may go to an unintended chat.

INFO Sparse monorepo clone from github.com/openclaw/skills 0

Install fetches only the target skill path via git sparse-checkout from the official OpenClaw skills monorepo. This is expected behavior. The clone is cleaned up after copy.

INFO Credential file accesses attributed to audit framework and OS processes -3

Auditd PATH records show access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. Cross-referencing timestamps: the first batch (1771955841) aligns exactly with canary file placement by the audit framework; later accesses align with Ubuntu system daemons (check-new-release, update-notifier). No access was triggered by SKILL.md instructions and canary integrity is confirmed.