Is jcromero/carddav-contacts safe?

https://github.com/openclaw/skills/tree/main/skills/jcromero/carddav-contacts

95
SAFE

The carddav-contacts skill is a clean, documentation-only skill with no executable code, no prompt injection, and no data exfiltration mechanisms. Canary file accesses observed during monitoring are fully attributable to the Oathe audit harness (pre-clone placement and post-audit verification), not to the skill. The only meaningful risks are inherent to the tool's intended functionality: contact PII becomes accessible to the agent context, and the khard remove command enables destructive operations without a confirmation guard.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Credential file path documented in agent-visible context -8

The vdirsyncer config example exposes ~/.config/vdirsyncer/google_app_password as the credential storage location. This maps sensitive file locations for any agent operating with filesystem read access, which is a prerequisite for using this skill.

LOW Permanent contact deletion capability with no confirmation guard -10

The skill instructs the agent to run khard remove without any confirmation step. A prompt-injected instruction ('delete all contacts named john') or a miscommunication could result in irreversible data loss from the user's contact store, including the remote CardDAV server if vdirsyncer syncs afterward.

LOW Mandatory network call on every contact query -5

'Always sync before querying' instructs the agent to contact the CardDAV server before any lookup. This creates a side channel: contact query frequency and timing become visible to the CardDAV provider (e.g., Google), and any attacker who controls the CardDAV endpoint learns when the agent is active.

INFO Canary file accesses fully explained by audit harness lifecycle 0

Both clusters of canary file accesses (pre-clone setup at 1771908140.592 and post-scan verification at 1771908158.152) are temporally bounded by Oathe framework operations, not by any code or behavior originating from the skill. No exfiltration occurred.