Is accli safe?

https://clawhub.ai/joargp/accli

68
CAUTION

The accli skill is a macOS Apple Calendar CLI wrapper that appears functionally legitimate with no prompt injection or data exfiltration instructions in SKILL.md. However, it requires a global npm install of an unaudited package, uses the powerful JXA scripting engine that grants broad system access beyond calendar operations, and filesystem monitoring detected reads of .env and .aws/credentials during installation. No network exfiltration was observed and canary files remained intact.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH Sensitive credential files accessed during install -40

During the skill installation phase, filesystem monitoring detected READ access to /home/oc-exec/.env and /home/oc-exec/.aws/credentials. While these files were not modified and no network exfiltration was observed, reading credential files during a skill install is a significant concern. This may be attributable to the openclaw runtime rather than the skill itself, but cannot be definitively separated.

HIGH Global npm package installation with opaque code -35

The skill instructs 'npm install -g @joargp/accli' which installs an unaudited npm package globally. The package's actual code, dependencies, and lifecycle scripts were not inspected as part of this audit. Global npm installs run with the user's full permissions and can execute arbitrary code via preinstall/postinstall scripts.

MEDIUM JXA scripting engine grants broad system access -15

The accli tool uses macOS JavaScript for Automation (JXA), which provides access not just to Calendar.app but to the entire Open Scripting Architecture. A compromised or malicious version of the tool could use JXA to access Keychain, control other applications, read arbitrary files, or execute shell commands — all without additional permission prompts.

MEDIUM Calendar data exposure risk -20

Calendar data frequently contains sensitive business information: meeting titles revealing project codenames, attendee lists revealing organizational structure, locations revealing office addresses, and descriptions containing agenda items and links. The skill grants the agent full read access to all calendars with no scope limitation.

LOW Broad trigger phrase surface area -5

The skill description uses broad trigger phrases ('check my calendar', 'what's on my schedule', 'am I free tomorrow') that could cause the skill to activate in contexts where the user did not intend calendar access. This is a usability concern rather than a security vulnerability.

LOW Shell command execution via agent -10

The skill instructs the agent to execute shell commands (accli ...) to interact with the calendar. While the commands are well-scoped in the documentation, the agent could potentially be manipulated into constructing malicious command arguments if calendar event data contains injection payloads (e.g., event titles with shell metacharacters).

INFO Temporary file creation during install -5

Multiple .cjs files were created in /tmp/jiti/ during installation, indicating JIT compilation of TypeScript/ESM modules. This is standard behavior for the jiti runtime transpiler and is not itself malicious, but represents code execution during the install phase.