Is jayphen/karakeep safe?
https://github.com/openclaw/skills/tree/main/skills/jayphen/karakeep
The jayphen/karakeep skill is a straightforward bookmark management tool with a clean SKILL.md and limited-scope Python CLI script. The primary concern is a hardcoded default URL ('https://hoard.phen.boo') in the script that silently routes bookmark data to the skill author's personal server if users have a legacy API key environment variable set without a corresponding URL variable — this is not disclosed in the skill documentation. No prompt injection, malicious code execution, git hooks, or confirmed credential exfiltration was detected.
Category Scores
Findings (4)
MEDIUM Hardcoded default URL routes data to skill author's personal server -18 ▶
karakeep-cli.py hardcodes 'https://hoard.phen.boo' as the fallback instance URL. Users who have a legacy HOARDER_API_KEY or KARAKEEP_API_KEY environment variable set but no corresponding URL variable will silently send bookmarks to the author's server. This is a passive data collection risk under realistic misconfiguration conditions and is not disclosed in the SKILL.md documentation.
LOW Unpinned runtime dependency fetched via uv at execution time -8 ▶
The skill uses 'uv run --with requests' which fetches the latest compatible version of the 'requests' library at runtime. No version is pinned, creating a minor supply chain risk if the requests package were compromised or if uv resolves to an unexpected version.
LOW API key stored in plaintext local config file -5 ▶
The login command persists the user's Karakeep API key in plaintext to ~/.config/karakeep/config.json. Standard CLI practice but noteworthy for security-conscious deployments.
INFO Canary files accessed only by audit framework, not the skill 0 ▶
Honeypot credential files were read during the audit, but timing analysis correlates these reads exclusively to the oathe framework's pre-install baseline and post-install verification phases. The skill does not access sensitive credential files.