Is micahele/donotify-voice-call-reminder safe?

https://github.com/openclaw/skills/tree/main/skills/micahele/donotify-voice-call-reminder

90
SAFE

The donotify-voice-call-reminder skill is a clean, narrowly-scoped API integration skill containing no executable code, no prompt injection attempts, and no malicious install behavior. The installation contacted only GitHub and left no unexpected filesystem artifacts. The primary risks are operational rather than adversarial: the skill transmits user reminder content (potentially privacy-sensitive) to the third-party donotifys.com service, and the configurable DONOTIFY_URL environment variable could redirect API traffic including the bearer token if the user's environment is compromised or misconfigured.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

LOW Reminder content transmitted to external third-party service -18

The skill's core function is to POST user-authored text (title, description) to donotifys.com. Any information the user asks to be reminded about — including meeting names, medical appointments, financial events, or personal details — is transmitted to a third-party server outside the user's control. This is declared behavior, but the privacy implication should be understood before installation.

LOW Configurable API base URL introduces token-redirection risk -12

The DONOTIFY_URL environment variable determines where all API calls — including bearer token authentication headers — are sent. If this variable is ever set to an attacker-controlled host (e.g., through a misconfigured deployment, a compromised env file, or via prompt injection in another skill that sets environment variables), the API token and all reminder payloads would be exfiltrated silently.

INFO Installation is clean — only GitHub contacted 0

The skill installation cloned a single sparse subtree from github.com over HTTPS and copied three files into the skill directory. No connections to donotifys.com, no connections to novel IPs, and no filesystem writes outside the skill directory were observed.

INFO No executable code or install hooks present 0

The skill contains only three files: SKILL.md (API documentation for an LLM agent), package.json (metadata only, no scripts), and _meta.json (registry metadata). There is no code that executes at install time or at runtime.

INFO Canary files accessed read-only by Oathe framework, not by skill 0

Filesystem monitoring recorded read-only access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at timestamps 1771928375 (pre-install) and 1771928399 (post-install). Both access windows correspond to the Oathe audit framework's own baseline hashing and integrity verification passes. No write events and no CLOSE_WRITE events were observed on any canary file. The integrity monitor confirms all canary files intact.