Is liam8/cubox safe?

https://github.com/openclaw/skills/tree/main/skills/liam8/cubox

87
SAFE

The liam8/cubox skill is a technically clean Cubox bookmarking integration: its Python scripts are readable and unobfuscated, installation contacted only GitHub, canary files were not exfiltrated, and SKILL.md contains no prompt injection. The primary security concern is inherent to the skill's design — it provides a legitimate outbound HTTPS data channel that, in the hands of a manipulated agent, could serve as an exfiltration pathway for sensitive content passed as memo arguments; additionally, CUBOX_API_URL is accepted without domain validation, meaning a compromised environment variable silently redirects all saved content to an attacker-controlled server.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM External HTTPS POST channel accepts arbitrary content -15

Both Python scripts POST user-controlled content to CUBOX_API_URL. This is the intended design, but it constitutes a data-out channel that an adversarially-manipulated agent could use to exfiltrate sensitive content passed as memo or URL arguments. No file-reading is performed by the skill itself, but combined with file-reading capabilities the attack surface is significant.

MEDIUM Dual-use exfiltration pathway via memo-saving primitive -20

Any agent with filesystem access and this skill installed has a complete, human-plausible exfiltration pipeline: read file → pass contents as memo content → data exits to external server. The operation logs as a user-initiated bookmark action, making it difficult to detect. A second malicious skill could trigger this chain without the user being aware.

LOW Executable Python scripts with outbound HTTP capability -12

The skill ships executable Python scripts that make outbound HTTPS POST requests. Code is plain-text and not obfuscated. No npm install hooks, git hooks, submodules, or symlinks were found. The scripts do not download or execute remote code.

LOW API endpoint URL not validated before use -5

CUBOX_API_URL is consumed directly from the environment without scheme or domain validation. An attacker with environment-write access could redirect all saved content to an arbitrary HTTPS server.

LOW User-supplied content passed as shell argument to Python scripts -10

SKILL.md instructs the agent to invoke Python scripts with user content as positional arguments. argparse provides some protection against injection, but the pattern exposes the script to argument-smuggling if the calling shell does not properly quote the content.

INFO Installation contacted only expected GitHub endpoint -8

The sole external network connection during installation was to 140.82.121.3:443 (GitHub), consistent with the observed git clone command. No telemetry, C2, or unexpected infrastructure was contacted.

INFO Post-install canary file access consistent with audit framework sweep -5

Canary credentials were accessed at 1771935806.412 in an identical pattern to the pre-audit sweep at 1771935789.125, indicating the oathe framework's own post-audit verification pass rather than skill activity. All canary files remain unmodified and no network exfiltration of their contents was detected.