Is maikimolto/bring-list safe?

https://github.com/openclaw/skills/tree/main/skills/maikimolto/bring-list

82
SAFE

bring-list is a clean, well-structured bash wrapper for the Bring! shopping list REST API with no malicious code, no unexpected network exfiltration, and no canary file tampering. The primary security concern is its credential-handling design: SKILL.md frames sharing passwords in chat as the primary setup path, exposing credentials to conversation logging and LLM context retention. The skill is otherwise technically sound — the bash script is fully auditable, contacts only the legitimate Bring! API, and the install process left no persistent artifacts or unexpected network connections.

Category Scores

Prompt Injection 83/100 · 30%
Data Exfiltration 74/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 74/100 · 5%

Findings (6)

MEDIUM Credential-in-chat as primary setup path -18

SKILL.md presents sharing Bring! email and password directly in the chat conversation as Option A (labeled 'convenient'), with terminal input as Option B. Credentials shared this way flow through the LLM context window, may be retained in conversation history, and could appear in any logging infrastructure the agent platform uses. The skill instructs the agent to confirm 'I won't repeat them' after writing to file, but the credentials are already present in the conversation turn.

LOW Intermediate credential file in /tmp -8

The Step 5 default-list update pipes credentials through /tmp/bring_conf.json before moving back. On a multi-user system, /tmp is world-readable by default, creating a brief window where credentials are accessible to any local user or process. The window is short (pipe + mv), but the pattern is avoidable with sponge or in-place jq editing.

LOW do_setup() uses unsafe heredoc credential interpolation -10

The interactive setup function in bring.sh embeds $email and $password directly into a JSON heredoc without escaping. An email or password containing JSON special characters (quotes, backslash, newline) could produce malformed JSON. The SKILL.md mitigates this by prohibiting agent use of this code path, but the vulnerability exists in the script for human users who run setup interactively.

LOW Normalizes password-sharing in chat as convenience feature -12

While not a prompt injection attack, the SKILL.md's framing of credential-sharing-in-chat as the default 'convenient' option establishes a behavioral norm that weakens user security hygiene. An agent trained on this pattern may apply similar credential-collection approaches in other contexts.

INFO Hardcoded API key in script 0

The Bring! app API key is hardcoded in bring.sh. The comment explicitly notes this is a public key used by all Bring! clients, which is accurate — this key is publicly documented and not a secret. No security concern.

INFO Silent shared-list writes affect third parties -5

Bring! lists are frequently shared between household members. Agent-driven additions, removals, or completions sync instantly to all sharing devices. This is documented behavior, not a vulnerability, but users should understand the agent can affect other people's view of the list without any in-app notification to those users.