Is stock-analysis safe?

https://clawhub.ai/udiedrichsen/stock-analysis

80
SAFE

The caldav-calendar skill is a straightforward CLI reference for vdirsyncer and khal with no prompt injection, no executable code, no malicious clone behavior, and intact canary files. The primary concern is that legitimate CalDAV usage inherently involves credential files and personal calendar data, which expands the agent's access to sensitive information. A notable discrepancy exists between the submitted URL slug (stock-analysis) and the installed skill name (caldav-calendar).

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (9)

MEDIUM Credential file access pattern -15

The skill instructs the agent to configure vdirsyncer with password.fetch = ["command", "cat", "~/.config/vdirsyncer/icloud_password"], which reads plaintext credentials from disk. While necessary for CalDAV auth, this exposes the credential path to the agent context and any skill that can read the vdirsyncer config.

LOW PII exposure through calendar data -8

Normal use of khal list/search exposes personal calendar events (appointments, locations, contacts) to the agent context. This data could be inadvertently logged or included in LLM context windows shared with other skills.

LOW CalDAV server URL could be attacker-controlled -5

The setup instructions show configuring arbitrary CalDAV server URLs. If a malicious actor modifies the vdirsyncer config, calendar data could sync to an attacker-controlled endpoint. This is not a direct skill vulnerability but an inherent risk of the CalDAV workflow.

LOW Shell command patterns with rm and apt -10

The skill documents 'rm ~/.local/share/khal/khal.db' for cache clearing and apt install for dependencies. These are standard operations but establish patterns where the agent executes destructive (rm) and privileged (apt) commands.

LOW Interactive command with TTY requirement -5

khal edit requires TTY interaction and suggests using tmux for automation. This is a legitimate tool limitation, not a security risk, but agents attempting to automate this could produce unexpected behavior.

INFO No prompt injection detected 0

The SKILL.md contains only standard CLI documentation. No hidden instructions, unicode tricks, HTML comments, persona switching, or external URL fetching directives were found.

INFO URL/slug mismatch between submission and installed skill -10

The submitted URL references 'stock-analysis' but the installed skill is 'caldav-calendar'. The install output confirms 'stock-analysis' was resolved and installed. This may indicate the ClawHub slug 'stock-analysis' maps to a skill named 'caldav-calendar', or that the registry resolved differently than expected. Not inherently malicious but worth noting as a discrepancy.

INFO Normal OS filesystem activity during clone -5

Filesystem monitoring detected only standard system reads (/etc/hosts, /etc/ld.so.cache, apt configs, dconf, GTK settings). No anomalous activity.

INFO Combination risk with other skills -35

A skill that can read vdirsyncer config (containing credentials) combined with a skill that can make network requests could exfiltrate CalDAV passwords. The calendar skill itself is benign but expands the credential surface area accessible to the agent.