Is jrswab/slipbot-kindle-importer safe?

https://github.com/openclaw/skills/tree/main/skills/jrswab/slipbot-kindle-importer

98
SAFE

The slipbot-kindle-importer is a purely declarative markdown skill with no executable code, no malicious prompt injection instructions, and no instructions to access sensitive files. All observed accesses to credential files were performed by the Oathe audit harness itself (verified by timestamp correlation), and all canary honeypots remain intact. The skill presents only a class-level risk common to any file-parsing skill: user-supplied Kindle exports could theoretically embed prompt injection payloads in note content.

Category Scores

Prompt Injection 98/100 · 30%
Data Exfiltration 97/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 93/100 · 5%

Findings (4)

INFO Canary file accesses attributed to audit harness, not skill 0

Observed PATH audit records for .env, .ssh/id_rsa, .aws/credentials and related credential files. Timestamp analysis confirms all such accesses predate the skill clone (1771904414 vs clone at 1771904420) or occur during the post-install audit verification sweep (1771904437). The skill has no executable code and no instructions to read these files. Canary integrity check confirms no exfiltration.

INFO No executable code present 0

Skill package contains only SKILL.md, _meta.json, and .clawhub/lock.json. No JavaScript, TypeScript, Python, shell scripts, git hooks, submodules, or symlinks. Installation is a pure file copy.

LOW File-content injection surface via Kindle HTML parsing -2

The skill instructs the agent to read and process HTML files provided by the user, preserving content as-is. A maliciously crafted Kindle export could embed prompt injection text within note content fields. The precheck step (showing title, author, count before importing) offers a limited opportunity for the user to notice anomalous content, but the agent still reads all note text into context. This is an inherent risk of file-parsing skills and not specific to malicious intent by the skill author.

LOW Dependency on slipbot skill not present in install environment -7

Skill workflow unconditionally invokes slipbot for each imported note. The install environment has academic-research-hub installed but not slipbot, meaning this skill cannot complete its core task without a companion install.