Is jfarcand/mirroir safe?

https://github.com/openclaw/skills/tree/main/skills/jfarcand/mirroir

86
SAFE

The mirroir skill is a legitimate iPhone automation tool with a clean SKILL.md containing no malicious instructions, prompt injection attempts, or data exfiltration directives; canary files were untouched and install-time network activity was confined to expected endpoints. The primary concerns are operational rather than adversarial: a curl-pipe-bash install pattern that an agent could misexecute, an unpinned npx invocation creating supply chain risk, and an exceptionally broad capability surface (full iPhone control including OCR, messaging, screen recording, and network mode toggling) that could be chained with other tools to harvest sensitive phone content. This skill is appropriate for users who understand and accept the privacy implications of granting an AI agent full control over their iPhone.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 94/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (8)

MEDIUM Curl-pipe-bash install pattern in setup documentation -12

The SKILL.md Setup section documents '/bin/bash -c "$(curl -fsSL https://mirroir.dev/get-mirroir.sh)"' as the recommended one-line install. An agent with Bash tool access could interpret this documented command as an instruction to execute, downloading and running an arbitrary script from mirroir.dev with no integrity verification (no SHA checksum, no version pinning).

MEDIUM npx -y MCP invocation lacks version pinning -10

The recommended MCP server configuration uses 'npx -y iphone-mirroir-mcp' with no version constraint. Every agent session would fetch and execute the latest published version of the npm package without user confirmation. A compromised or maliciously updated npm package would silently affect all users.

MEDIUM Full iPhone control enables high-privilege operations without per-action confirmation -20

The skill grants the agent unrestricted access to send messages, launch any app, OCR any screen content (including 2FA codes, banking PINs, private messages), record video, and toggle network modes. Combined with other tools (file write, HTTP request), this creates a path to covert data collection from the iPhone screen.

LOW Karabiner-Elements DriverKit kernel extension requirement -10

The skill requires Karabiner-Elements to be installed with its DriverKit kernel extension approved. This is a deep OS integration point; Karabiner operates at the kernel level for input virtualization. The skill instructs users to 'enable all toggles under Karabiner-Elements' in System Settings.

LOW OCR and screenshot tools expose sensitive on-screen content to agent context -12

describe_screen returns all visible text with pixel coordinates; screenshot captures the full display. If invoked on sensitive screens (banking apps, password managers, authenticator apps), credential data enters the agent's context window where it could be acted upon by other skills or logged.

LOW Third-party Homebrew tap without audited formula -10

The Homebrew install path uses 'jfarcand/tap', a personal Homebrew tap. Third-party taps are not reviewed by Homebrew maintainers and could be updated to distribute malicious binaries without user notification.

INFO Skill content is clean and well-structured 0

SKILL.md contains no override instructions, hidden directives, persona manipulation, or unusual unicode. The skill includes explicit use/not-use guardrails and properly scopes its capabilities.

INFO Canary files accessed but not modified or exfiltrated 0

Multiple read accesses to canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were observed both before and after skill installation. Pattern is consistent with periodic audit infrastructure checks rather than skill-triggered behavior. All files confirmed intact.