Is madmantim/paperless-ngx-tools safe?

https://github.com/openclaw/skills/tree/main/skills/madmantim/paperless-ngx-tools

89
SAFE

paperless-ngx-tools is a well-structured Paperless-ngx REST API wrapper skill with no detected prompt injection, no malicious code execution vectors, and no active credential exfiltration. Credential file reads observed in monitoring are attributable to the oathe audit infrastructure's canary baseline measurements (occurring before and after install, not during), confirmed by intact canary file integrity. The primary residual risk is architectural: the skill provides broad read/write access to the user's personal document store, and the upload endpoint accepts arbitrary file paths, which could be misused by a compromised agent acting on malicious user instructions rather than by the skill itself.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

INFO Credential file reads attributable to audit infrastructure 0

Inotifywait and auditd PATH records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. However, the first batch (timestamp 1771906317) occurs 5 seconds before the git clone begins (1771906322), and the second batch (1771906340) occurs after install completion. Both are consistent with oathe's pre/post canary baseline measurement, not skill-originated reads. Canary integrity confirmed intact.

LOW Executable JavaScript files included in skill -8

The skill ships 7 .mjs Node.js scripts. These are directly invoked via node commands listed in SKILL.md. No auto-execution mechanism exists (no package.json install hooks, no git hooks). The scripts appear to be standard REST API wrappers for Paperless-ngx endpoints.

LOW Upload script accepts arbitrary local file paths -7

SKILL.md documents upload.mjs accepting any local file path. An agent given a malicious user prompt (not originating from this skill) could be directed to upload sensitive files to the user's Paperless instance. The skill itself does not inject such instructions, but the capability exists.

LOW Full document store access enables sensitive content exposure in context -12

When active, this skill gives the agent read access to all documents in the user's Paperless instance via get.mjs --content --full. Sensitive personal and financial documents could be pulled into agent context windows, creating secondary exposure risk if conversation logs are retained or if the agent is compromised by prompt injection from another source.

INFO GitHub-only network activity during install 0

The only external connection during install was to 140.82.121.4:443 (GitHub), which resolved correctly for the openclaw/skills repository clone. No beaconing to attacker infrastructure detected.