Is lextoumbourou/pocketsmith-skill safe?

https://github.com/openclaw/skills/tree/main/skills/lextoumbourou/pocketsmith-skill

93
SAFE

The pocketsmith-skill is a straightforward PocketSmith API client implemented as a clean Python CLI tool. The SKILL.md contains no prompt injection vectors, the source code reads only its declared environment variable, and all outbound traffic routes exclusively to api.pocketsmith.com. The canary file accesses observed in auditd logs are attributable to the Oathe audit framework's own baseline sweep and post-scan verification, occurring before the skill was cloned. The only notable concerns are an unexplained academic-research-hub reference in the lock file (likely a development artifact) and the inherent sensitivity of granting an AI agent read access to complete financial transaction history.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

LOW Broad financial read access with no agent confirmation gate -10

Read operations (transactions, budgets, categories, labels) execute without requiring POCKETSMITH_ALLOW_WRITES and return full account data to stdout. An agent with this skill active can enumerate a user's entire financial history without any additional confirmation.

LOW Unexpected skill dependency in .clawhub/lock.json -4

The lock file references 'academic-research-hub' v0.1.0 installed at timestamp 1770957475341, which has no relationship to personal finance management. This is likely a leftover artifact from the skill author's own installed skill set rather than a deliberate inclusion, but represents untested code surface.

INFO Write operations can delete financial records permanently 0

When POCKETSMITH_ALLOW_WRITES=true, the skill exposes DELETE endpoints for transactions, categories, and the forecast cache. A mistaken or manipulated agent invocation could permanently destroy financial categorization data.

INFO openclaw-gateway process establishes external connections post-install 0

After install, the openclaw-gateway process (pid=1087) holds two TCP connections to 54.211.197.216:443 (AWS) and listens on 127.0.0.1:18790 and 127.0.0.1:18793. This is the audit orchestration infrastructure, not the skill.