Is josharsh/book-reader safe?

https://github.com/openclaw/skills/tree/main/skills/josharsh/book-reader

82
SAFE

This book reading skill appears legitimate and implements its stated functionality without major security concerns. The skill properly handles book downloads from reputable sources and includes progress tracking features. While it executes external commands and downloads content, these operations appear necessary and appropriately scoped for the intended functionality.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM External Command Execution with User Input -15

The script executes external commands (curl, pandoc, pdftotext, Python) with user-provided input for book searches and downloads. While input validation appears present, this creates potential attack surface.

LOW References to Shadow Library Sources -10

The skill mentions Anna's Archive as a book source, described as operating in a 'legal gray area'. While not a direct security risk, this could expose users to copyright concerns.

LOW Minimal Input Validation for External Downloads -10

The script downloads content from external sources with basic validation. While using reputable sources like Project Gutenberg, there's inherent risk in downloading and processing external content.

INFO Expected Network Activity -5

Normal git clone operation and DNS lookups detected during installation. No suspicious network behavior observed.