Oathe Security Badge

Is joargp/accli safe?

https://github.com/openclaw/skills/tree/main/skills/joargp/accli

91
SAFE

The accli skill provides legitimate Apple Calendar CLI functionality through well-documented commands and workflows. While it requires external npm package installation which introduces some risk, the skill itself contains no malicious code and implements appropriate user consent mechanisms.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM External npm package dependency -15

The skill requires installation of an external npm package '@joargp/accli' which could introduce security risks if the package is compromised

LOW Calendar manipulation potential -10

The skill enables creation, modification, and deletion of calendar events which could be misused to manipulate user schedules, though this requires explicit user consent

LOW System file access during installation -10

System processes accessed sensitive files (.env, SSH keys, AWS credentials) during installation, though no exfiltration occurred

LOW JavaScript for Automation dependency -5

The tool relies on macOS JavaScript for Automation which involves code execution, though this is documented and expected behavior