Is manikal/hide-my-email safe?

https://github.com/openclaw/skills/tree/main/skills/manikal/hide-my-email

84
SAFE

The hide-my-email skill (manikal/hide-my-email) presents a legitimate macOS privacy utility with a clean SKILL.md that contains no prompt injection, persona overrides, or hidden instructions. The primary security concerns are the unpinned git clone in the recommended install path (supply chain risk) and the Accessibility-privileged AppleScript that cannot be fully audited within this skill's files. Canary credential files were accessed during the audit but timing and pattern analysis attributes these accesses to the audit harness's own pre/post integrity checks rather than skill behavior, and all canary files remain intact.

Category Scores

Prompt Injection 94/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Unpinned git clone in recommended install path -15

The SKILL.md frontmatter marks the git-clone method as 'recommended' and it clones the latest HEAD of the upstream repo with no commit hash, tag, or checksum verification. Any future push to manikal/hide-my-email would immediately affect all subsequent users who follow the recommended install path. The curl method is pinned to v1.0.1, which is safer, but the framing steers users toward the unpinned option.

MEDIUM Installs unaudited AppleScript requiring Accessibility permissions -12

The install.sh copies hide_my_email.applescript from the upstream repo into the user's PATH. This AppleScript is not included in the skill's own files and cannot be reviewed within this audit. It executes with Accessibility permissions, which on macOS allows controlling any application's UI — far beyond what is needed to click through System Settings. A malicious version of this script could exfiltrate data, read keychain entries, or automate other applications entirely.

LOW Honeypot credential files accessed during install window -15

Six sensitive honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read (all with CLOSE_NOWRITE — not modified) at 1771930854.695 and again at 1771930877.749. Timing correlation with the audit harness ss command (1771930854.665) and the post-install phase strongly suggests both accesses are audit harness pre/post canary integrity checks, not skill behavior. install.sh contains no code that would read these files. Documented for completeness.

LOW Curl-pipe-sh alternate install executes remote code without review -8

The SKILL.md offers 'curl -fsSL https://raw.githubusercontent.com/.../v1.0.1/install.sh | sh' as a secondary install option. While pinned to a version tag, this pattern downloads and executes shell code in a single pipeline with no opportunity for local review, checksum verification, or sandboxing.

LOW Outbound connections to Ubuntu/Canonical servers during install window -18

Connections to 91.189.91.49:443 and 185.125.188.58:443 were observed beginning at 11:00:54, which coincides with SSH session establishment and the execution of /etc/update-motd.d/* scripts. These are Ubuntu Advantage/MOTD update services that run on every SSH login and are unrelated to the skill. Connection diff confirms they were present before install and absent after. Documented for completeness.

INFO Skill is macOS-only and requires privileged Accessibility API access -25

The skill declares os: [macos] and requires an iCloud+ subscription plus Accessibility permission granted to the terminal. On any non-macOS platform the hme binary will be absent and the skill silently fails. On macOS, the Accessibility permission requirement is broader than strictly necessary for the advertised use case.