Is macksmind/imprettyamazing safe?
https://github.com/openclaw/skills/tree/main/skills/macksmind/imprettyamazing
The macksmind/imprettyamazing skill is a well-structured third-party API integration for a social accomplishment-tracking platform. No prompt injection, instruction overrides, hidden payloads, malicious code, or active exfiltration were detected during static analysis or dynamic monitoring. The primary concerns are low-severity: plaintext JWT storage in TOOLS.md (user-consented with disclosed risk), a proactive win-suggestion behavior that initiates agent action without explicit user request, and a feedback endpoint that could inadvertently carry conversation context to the third-party server. Canary file accesses observed in monitoring predate skill installation by six seconds and are attributable to audit infrastructure PAM/sudo activity, not the skill.
Category Scores
Findings (6)
LOW Proactive Win Suggestion Without User Trigger -8 ▶
The 'Proactive Usage' section instructs the agent to autonomously detect user accomplishments and proactively suggest posting them as wins on imprettyamazing.com. While confirmation is required before posting, the skill directs the agent to initiate a social-platform promotion flow without the user asking. This is a marketing optimization embedded in agent behavior rather than a security threat, but it does instruct the agent to act outside explicit user requests.
LOW Session Tokens Persisted in Plaintext in TOOLS.md -10 ▶
The skill stores JWT access_token and refresh_token values in plaintext in TOOLS.md after user consent. TOOLS.md may be checked into version control or accessible to other agents/skills. The skill does warn users and provides a 'Never commit token values to git-tracked files' instruction, but enforcement is advisory only. Any process or skill that can read TOOLS.md inherits full authenticated session access.
LOW Feedback Endpoint pageContext Field May Capture Conversation State -8 ▶
The POST /feedback endpoint accepts a 'pageContext' string field (max 1000 characters) that is transmitted to api.imprettyamazing.com. If an agent populates this field from conversation context when submitting feedback, it could inadvertently send excerpts of private conversation to the third-party server. The field is not constrained in the skill instructions, leaving content selection to agent discretion.
LOW Credential Flow Through Third-Party Infrastructure -6 ▶
Login requires transmitting user email and password to api.imprettyamazing.com. The skill discloses this clearly to the user. However, the trust chain depends entirely on imprettyamazing.com's server security and honesty. A server-side compromise or adversarial operator could harvest credentials without the agent or user detecting it. This is inherent to any authenticated third-party API skill and not specific malfeasance by the skill author.
INFO Inline Shell and Python3 Code Snippets -15 ▶
The skill provides bash snippets using curl, awk, and cat for cookie jar management, plus a python3 heredoc that decodes the JWT exp claim via base64 and JSON parsing. All operations are local, deterministic, and scoped to the intended authentication flow. No remote code fetching, no dynamic eval of untrusted content, no dangerous syscalls. The python3 snippet reads from an environment variable (ACCESS_TOKEN) rather than a file or network source.
INFO Canary Files Read Before Skill Install — Attributed to Audit Infrastructure -12 ▶
Inotifywait and auditd path records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials were opened and accessed at 11:20:45 (timestamp 1771932045). The skill installation began at 11:20:51 (timestamp 1771932051), approximately 6 seconds later. The access pattern — occurring during PAM/sudo authentication cycles — is consistent with the audit session's own sudo invocation performing name service and group lookups. All canary files are confirmed intact with no network exfiltration correlated to these reads.