Is mitchellbernstein/google-home safe?

https://github.com/openclaw/skills/tree/main/skills/mitchellbernstein/google-home

79
CAUTION

The google-home skill by mitchellbernstein is a documentation-only skill with no executable code, no git hooks, no submodules, and no active data exfiltration logic. Its primary risk is that it instructs agents to handle sensitive Google OAuth credentials controlling physical IoT devices (cameras, thermostats, doorbells), which have real-world physical security implications if compromised. The skill is incomplete — the referenced scripts/nest helper does not exist in the repository — and contains a hardcoded developer filesystem path, indicating it was published from a personal project without production hardening.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

MEDIUM Skill handles physical-device OAuth credentials with real-world security implications -32

The skill instructs agents to manage Google OAuth tokens (client_secret, refresh_token, access_token) for the Smart Device Management API. These credentials control thermostats, cameras, and doorbells. Credential exposure could enable live camera access, doorbell manipulation, and thermostat control — harms that extend beyond typical API key theft.

LOW Reference to non-existent scripts/nest helper and global symlink instruction -20

SKILL.md documents a 'scripts/nest' helper CLI and instructs users (and by extension the agent) to create a global symlink at /usr/local/bin/nest. The script does not exist in the installed files. If it were added in a future update, the pre-established symlink would execute it with user privileges.

LOW Hardcoded developer filesystem path leaks personal machine layout -15

The symlink command references an absolute path on the author's personal machine (/Users/mitchellbernstein/clawd/...). This indicates the skill was written for personal use and published without cleanup. It would not function as documented on any other system and suggests low production readiness.

LOW Brand-new skill with no version history -12

_meta.json shows version 1.0.0 with an empty history array and a single commit. No track record exists to evaluate behavioral changes over time.

INFO Canary file accesses attributed to monitoring infrastructure, not skill 0

inotify and auditd recorded access to .env, .ssh/id_rsa, .aws/credentials, and other sensitive files. Cross-correlation with EXECVE records confirms these reads originated from the oathe audit bash scripts performing pre-install baseline and post-install verification scans — not from any code installed by the skill.