Cozi Family Organizer

Security checks across malware telemetry and agentic risk

Overview

This Cozi skill is purpose-aligned and disclosed, but it can modify family organizer data and stores Cozi credentials or session tokens locally.

Install only if you are comfortable giving this skill access to your Cozi account. Protect the .env and .session.json files, avoid shared machines for this setup, and ask your agent to confirm before running delete-list, remove, or remove-appt commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill requires access to sensitive environment variables (`COZI_EMAIL`, `COZI_PASSWORD`) but does not declare permissions in the manifest. This creates a transparency and trust problem: an agent or user may invoke the skill without clear awareness that account credentials are required and consumed by the code.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The description says the skill manages shopping lists, todo lists, and item management, but the documented commands also read and modify calendar data, including appointment creation and deletion. This mismatch broadens the skill's effective privileges beyond the stated purpose, increasing the risk of unauthorized or unexpected access to more sensitive family scheduling data.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The skill description says it manages shopping and todo lists, but the code also reads and modifies calendar appointments. This undocumented scope expansion is dangerous because users or downstream agents may grant trust based on the narrower manifest and unintentionally allow access to more sensitive family scheduling data and destructive calendar actions.

Context-Inappropriate Capability

Low

Confidence: 87% confidence
Finding: The script automatically reads credentials from local .env files, including a higher-level agent .env outside the skill directory. Even though it filters for COZI_* variables, this still expands secret-access behavior beyond direct user input and can silently consume stored credentials without clear consent, increasing the risk of unintended account access.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation instructs users to store account email and password in local `.env` files and mentions session caching, but provides no warning about plaintext credential storage, token sensitivity, or filesystem protection. This can lead to accidental credential exposure through weak file permissions, backups, logs, or shared environments.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The documented commands include destructive operations such as removing items, deleting lists, and removing appointments without clearly warning that these actions may be irreversible. In a family organizer context, unexpected deletion can cause loss of shared household data and scheduling information.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script uses email and password credentials to authenticate to a remote third-party API, but only mentions this as a technical requirement. In an agent-skill context, silent transmission of account credentials is sensitive because users may not realize the skill performs live authentication and account-bound remote operations.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code persists authentication session data, including an access token, to a local .session.json file without any permission hardening or disclosure. If the local filesystem is accessible to other users, processes, or tools, the token could be reused to access or modify the user's Cozi data without needing the password.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Environment Variables Set these in your agent's `.env` (`~/.openclaw/.env`) or create a skill-level `.env` at `~/.openclaw/skills/cozi/.env`: - `COZI_EMAIL` — Your Cozi account email - `COZI_PASSWORD` — Your Cozi account password
Confidence: 82% confidence
Finding: create a skill-level `.env` at `~/.openclaw/skills/cozi/.env`: - `COZI_EMAIL` — Your Cozi account email - `COZI_PASSWORD` — Your Cozi account password The script only reads `COZI_EMAIL` and `COZI_PA

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal