Is lifehackjohn/qr-password safe?

SKILL.md Mode A instructs the agent to construct and execute a shell command using echo to pipe credential JSON directly to the Python script. Any credential values embedded in the echo argument appear in /proc/PID/cmdline, the kernel audit log, and ps output, readable by any local process with /proc access or audit log access.

The skill's core architecture requires the AI agent to retrieve and process vault credentials in plaintext. Unlike agent-mediated flows where the agent triggers a secure subsystem without seeing secrets, here the agent directly constructs credential-bearing shell commands. Any prompt injection from any concurrent source (another installed skill, malicious document, attacker-controlled QR in Mode B) during a credential transfer operation directly exposes the credential.

SKILL.md mandates the agent suppress output details from the user: 'say QR displayed — never echo the password' and 'Never log credentials to chat history or memory files.' While privacy-motivated, these instructions remove the user's ability to audit whether the agent handled credentials correctly or whether anything unexpected occurred.

By providing echo-piped JSON as the canonical credential injection pattern, SKILL.md trains the agent to construct shell commands with embedded secrets. This is contrary to secure shell hygiene (which uses printf '%s', process substitution, or named pipes) and creates a systematic credential leakage pattern for all future uses of this skill.

Mode B instructs the agent to invoke 'nodes camera_snap' to capture images. The instruction provides no scope constraint — the agent could be directed to capture arbitrary visual content (screens, documents, physical environments) rather than solely QR codes, with no mechanism to distinguish legitimate from illegitimate capture requests.

Generated QR code images are written to /tmp/qr-out.png — a predictable, world-readable path in a directory accessible to all local users. A local attacker can poll for this file and read it during the 30-second window before deletion, extracting the encoded credential. A symlink at that path could also redirect the write.

The file assets/qr-generator.html is described as an offline standalone QR generator, but its source was not present in the audit evidence provided. HTML files with embedded JavaScript can make XHR/fetch network calls, load external scripts, or exfiltrate data entered into them regardless of offline claims. The file is installed on disk alongside the skill.

SKILL.md explicitly requires deletion of QR images, prohibition of credential logging, and memory suppression. The design makes forensic investigation of a compromised credential transfer impossible after the fact — there is no record of what credential was transferred, when, or to what device.

The skill requires opencv-python-headless, a large package with compiled C++ bindings and extensive transitive dependencies. This introduces significant supply-chain attack surface for a task (QR decode) achievable with smaller pure-Python libraries (e.g., pyzbar, zxing-cpp).

Six sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at two points: 1771936638.974 (pre-install) and 1771936659.780 (post-install). Both instances show all six files accessed with consecutive audit item numbers and identical timestamps — a batched automated pattern consistent with the Oathe monitoring system performing canary baseline and integrity checks. No exfiltration to external endpoints was detected.

The only external network connection during skill installation was to 140.82.121.4:443 (GitHub) for the sparse git clone. Pre-install connections to 185.125.188.x (Ubuntu/Canonical) are attributable to SSH MOTD update-check scripts and not the skill. No DNS queries to unexpected domains, no unexpected listening sockets post-install.