Is maddiedreese/substack-formatter safe?

https://github.com/openclaw/skills/tree/main/skills/maddiedreese/substack-formatter

90
SAFE

This is a legitimate text formatting tool for Substack publishing that performs exactly as advertised. The code is straightforward Python with clear functionality for converting text to HTML and copying to clipboard. The main security concern is minor subprocess usage with shell=True, but this appears to be safe in context.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 100/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (1)

MEDIUM Subprocess shell execution -25

The copy_to_substack.py script uses subprocess.run() with shell=True for executing xclip commands. While the temp file path is system-generated and likely safe, this pattern could be vulnerable to injection if user input were directly included.