Is junebugg1214/glasses-to-social safe?

https://github.com/openclaw/skills/tree/main/skills/junebugg1214/glasses-to-social

88
SAFE

The glasses-to-social skill is a legitimate automation tool whose SKILL.md contains no prompt injection, whose install cloned only from GitHub, and whose canary files were untouched throughout. The primary security concern is operational rather than malicious: when active, the skill's vision-AI image analysis step creates an indirect prompt injection surface because any text visible in attacker-placed images is explicitly extracted by the agent. Secondary concerns include gdown downloading attacker-influenced content and the cron-based automation reducing per-action oversight.

Category Scores

Prompt Injection 84/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Image-based indirect prompt injection attack surface -16

The skill instructs the agent to analyze photos fetched from a Google Drive folder using vision AI and then act on the analysis (draft and post content). An attacker who can place images in the monitored folder — either by compromising the Drive folder or guessing a publicly-shared folder ID — can embed textual instructions in images. The vision model will interpret these as scene descriptions, potentially injecting malicious instructions into the agent's context.

LOW gdown downloads arbitrary content from attacker-influenceable URL -12

check-new-photos.sh runs gdown against a folder URL read from a user-supplied config file. There is no validation that downloaded files are actual images beyond a post-download find with extension filters. A malicious folder owner could name executables with image extensions to pass the filter.

LOW Skill requires Twitter/X credentials stored in agent-accessible location -10

SKILL.md's requirements section and setup flow imply storing Twitter/X API credentials accessible to the agent. During normal operation the agent reads these for posting. A compromised agent could exfiltrate them. This is an architectural risk rather than a malicious design in the skill itself.

LOW Cron automation reduces per-action user oversight -28

The skill encourages setting up a cron job running every 15 minutes. In this mode the agent autonomously fetches, analyzes, and drafts posts without user initiation. Only the final posting step requires approval, leaving the fetch, analysis, and draft generation phases fully automated and unsupervised.

INFO No unexpected network connections or process execution during install 0

Clone connected only to GitHub (140.82.121.4:443). Pre-existing connection to 185.125.188.57:443 predates the install and is attributed to the OATHE audit infrastructure. No unexpected processes spawned.

INFO Credential file reads attributed to OATHE monitoring, not skill 0

inotifywait and auditd recorded two rounds of reads on all canary credential files. Timestamps confirm both rounds predate or postdate the actual install and correspond to the audit framework's baseline capture (before clone) and final integrity verification (after install). No modification events detected.