Is jorgermp/google-photos safe?

https://github.com/openclaw/skills/tree/main/skills/jorgermp/google-photos

86
SAFE

This Google Photos skill provides legitimate API integration functionality with clean documentation and standard OAuth2 authentication. However, it accessed sensitive system files during installation without clear justification, which raises security concerns despite no actual data modification.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (2)

HIGH Accessed Sensitive System Files -30

During installation, the skill accessed sensitive files including .env, SSH private keys, AWS credentials, and SSH authorized_keys. While no modifications were detected, this behavior is concerning for a Google Photos integration skill.

LOW Hardcoded Path in Python Shebang -15

The Python script uses a hardcoded shebang path specific to the developer's environment, which may cause portability issues.