Is lars147/tmx-cli safe?

The commands.md reference file explicitly states 'Credentials stored in secrets/cookidoo.env (COOKIDOO_EMAIL, COOKIDOO_PASSWORD)'. The Python code also stores session cookies (cookidoo_cookies.json) and Algolia search tokens (cookidoo_search_token.json) inside SCRIPT_DIR — which is the skill's installation directory. Storing authentication material inside a directory that is part of a git-managed monorepo increases the risk of accidental credential exposure if the directory is shared, synced, or committed.

The .clawhub/lock.json bundled inside the tmx-cli skill directory records the installation of a completely different skill: 'academic-research-hub' v0.1.0 installed at timestamp 1770957475341. This file should not reference other skills and likely represents the developer's local workspace state being accidentally committed to the skill repository. While not directly exploitable, it indicates poor development hygiene and raises questions about what other unintended artifacts may be present.

The skill bundles a substantial Python script (tmx_cli.py) that performs OAuth authentication against Vorwerk/Cookidoo identity systems, makes HTTP requests to three external services (cookidoo.de, algolia.net, vorwerk-digital.com), writes credential files to disk, and reads/parses HTML via regex. The code is stdlib-only and the operations are consistent with the skill's stated purpose. However, the size and capability surface of the bundled executable warrants review before trusting it to run in an agent context with tool access.

The CLI Usage section of SKILL.md shows the invocation path as 'python3 {baseDir}/../tmx-cli/tmx_cli.py'. Since the skill directory is named 'tmx-cli', this path resolves to the same location as {baseDir}/tmx_cli.py. However, the confusing '../tmx-cli/' traversal pattern could mislead an agent or user into believing the script is expected to exist one directory level up. If the skill directory were named differently, this path would point outside the installation directory.

The tmx login flow uses Python input() and getpass.getpass() to collect user email and password interactively. When executed by an LLM agent with shell access, the agent becomes the intermediary for credential entry, meaning Cookidoo credentials pass through the agent's context. This is expected behavior for the skill's design but creates an attack surface if the agent is ever manipulated to invoke login when not intended.

The audit monitoring confirmed all canary files (.env, SSH private key, AWS credentials, .npmrc, Docker config, GCloud credentials) were unmodified after skill installation. PATH audit events for these files at timestamps 1771907636 and 1771907659 are consistent with the audit framework's own baseline and post-install integrity verification cycles.

SKILL.md Critical Rules section explicitly instructs the agent to 'Confirm before destructive actions (shopping clear, plan remove)'. This is a positive behavioral constraint that reduces the risk of accidental data loss through agent automation.