Is lucky-2968/todo-management-1-1-2 safe?

https://github.com/openclaw/skills/tree/main/skills/lucky-2968/todo-management-1-1-2

85
SAFE

The todo-management-1-1-2 skill is a straightforward SQLite-backed todo manager implemented in bash with no network calls and well-scoped agent instructions. The primary concerns are: (1) an unexplained npm dependency on the content-free 'package-lock.json' package that has no functional purpose for this bash-only skill, (2) sensitive credential files were opened during the audit window, though temporal analysis strongly attributes these accesses to the Oathe monitoring framework rather than the skill itself, and (3) the agent-side command construction pattern carries a general shell injection risk if the agent fails to quote user-provided task names. No prompt injection, data exfiltration, or malicious code was detected in the skill's files.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

MEDIUM Unexplained npm dependency in bash-only skill -20

The package.json declares 'package-lock.json@^1.0.0' as a runtime dependency, and a pnpm-lock.yaml is committed alongside it. The skill is implemented entirely in bash and requires only sqlite3. There is no functional reason for any npm dependency. The 'package-lock.json' npm package is a real but content-free registry package. This pattern is anomalous and may indicate developer confusion, an accident, or an attempt to trigger npm install in environments where npm is run automatically against skill directories.

LOW Sensitive credential files accessed during audit window -20

The inotify and auditd logs record OPEN+ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json at 04:05:24 (pre-install) and 04:05:47 (post-install). Temporal analysis strongly suggests these accesses originate from the Oathe audit framework's own canary baseline and verification steps rather than from the skill. No outbound network connection carrying credential data was observed, and canary integrity is confirmed.

LOW Agent-side shell injection via unquoted user task text -18

The SKILL.md instructs the agent to construct shell commands such as: bash {baseDir}/scripts/todo.sh entry create "Buy milk". If the agent interpolates unsanitized user input directly into this command string without proper quoting, a task name containing shell metacharacters (e.g., backticks, $(), semicolons) could result in arbitrary command execution. This is a general risk with any shell-invoking skill and depends on the agent's command construction hygiene.

LOW Assertive 'non-negotiable' rule framing in SKILL.md -10

The SKILL.md uses the heading 'Non-negotiable rules' for behavioral constraints. While the rules themselves are benign (short replies, no markdown exports, list-only-when-asked), the framing creates a strong imperative that could suppress the agent's ability to use judgment or override constraints in legitimate user-requested edge cases. This is a minor concern compared to actual injection attempts.

INFO Clean install — no unexpected network or process activity 0

The git clone was limited to GitHub (140.82.121.4:443) via HTTPS. Sparse checkout correctly isolated only the skill subdirectory. No new listeners, no unexpected daemons, no filesystem modifications outside the skill directory were observed post-install.

INFO todo.sh script is well-implemented with proper input validation 0

The shell script uses set -euo pipefail, validates integer IDs via regex, validates status values against a fixed allowlist, and escapes SQL string literals via sql_q(). No network calls, no dynamic code execution, no eval, no curl/wget.