Is midz99/contextui safe?

Exactly 6 credential canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed at the identical millisecond timestamp 1771917583.138, approximately 5 seconds after skill installation completed. This differs from the login-time accesses (spread across 1771917559.501–504 from GDM/PAM processes). The attributing process is not visible in the available execve records at that timestamp. No modification was detected and the canary integrity check reports clean, suggesting this may be Oathe's own monitoring infrastructure performing a final audit pass, but the simultaneous access pattern warrants noting.

The skill's MCP tool suite includes connect_mcp_server which accepts an arbitrary command string and spawns it as a stdio-based MCP server, persisting the configuration in ~/.mcp-servers.json. The reference documentation provides 'npx -y @modelcontextprotocol/server-filesystem /tmp' as an example, which would grant filesystem access. A malicious actor who controls workflow content or Exchange listings could instruct the agent to connect a malicious MCP server, permanently expanding the agent's tool surface.

The python_start_server MCP tool executes arbitrary Python scripts as local servers under the user's session. Workflows from the Exchange include backend.py files that run without sandboxing. The ServerLauncher pattern installs pip packages automatically. A malicious Exchange workflow could include a Python backend that exfiltrates data or establishes persistence.

The marketplace-download API fetches signed S3 URLs for workflow files and installs them into the local workflows directory. These files immediately become launchable and include React TSX and Python backends. There is no described sandboxing, code signing, or review step before execution. This creates a supply-chain risk where a malicious Exchange listing could deliver credential-harvesting Python code.

connect_mcp_server persists configurations across sessions in ~/.mcp-servers.json. An agent following this skill could be directed to add MCP servers that provide access far beyond ContextUI's stated scope (filesystem access, shell execution, browser control). These persist after the skill is removed.

Publishing requires direct HTTP PUT of local files to AWS S3 presigned URLs. While user-initiated and requiring an explicit API key, this means workflow files (which may include sensitive local content if an agent is misdirected) are uploaded directly to contextui-exchange.s3.ap-southeast-2.amazonaws.com.

The skill references the developer's local absolute path '/Users/jasonclissold/Documents/electronCUI/example_modules/' as the canonical source location for example workflows. This reveals the developer's username and project structure, and suggests the skill was not reviewed for sensitive information before publication.

The ui_screenshot, ui_click, ui_drag, ui_type, and ui_get_dom tools are described as operating within the ContextUI app window, but the enforcement of this boundary is at the ContextUI application level. If the ContextUI app has bugs or if the agent uses coordinates rather than selectors, interaction could extend beyond the intended scope.

The git clone operation connected only to GitHub (140.82.113.4:443). No connections to contextui.ai or any ContextUI-specific endpoint were made during installation. No npm install scripts, git hooks, submodules, or symlinks were present.