Is 0xadamsu/game-light-tracker safe?

https://github.com/openclaw/skills/tree/main/skills/0xadamsu/game-light-tracker

86
SAFE

This is a documentation-only skill for syncing Hue smart lights with live sports scores via Home Assistant. It contains no executable code — only SKILL.md instructions that direct the agent to run PowerShell scripts (which are not included in the repo). The main security considerations are the instructions to read a Home Assistant API token from a config file and to create hidden persistent background processes, both of which are consistent with the skill's stated functionality.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Instructions to create hidden background processes -15

The skill's workflow instructs the agent to launch a keeper/supervisor process with '-WindowStyle Hidden', creating a persistent hidden PowerShell process that auto-restarts the tracker every 25 minutes. While this is consistent with the skill's stated purpose of continuous game monitoring, hidden persistent processes are an elevated-risk pattern.

LOW Home Assistant API token read from config file -10

The skill instructs the agent to read .homeassistant-config.json and extract the API token and server URL. This is necessary for the stated Home Assistant integration but provides the agent access to a credential that could control smart home devices.

LOW Referenced scripts not present in repository -10

The skill references game-tracker.ps1 and keeper.ps1 but neither file exists in the repository. The agent would need to create these scripts itself or the skill is non-functional, raising questions about completeness and intent.

LOW Broad process termination filter for cleanup -10

The stop-tracking instruction uses a wildcard filter on all PowerShell processes matching command line patterns, which could inadvertently kill unrelated PowerShell sessions on the user's machine.

INFO External URL references in documentation -5

SKILL.md includes links to ESPN team pages (espn.com/nfl/teams, etc.). These are clearly informational references for the user to look up team abbreviations, not instructions for the agent to fetch or process.

INFO Unrelated skill reference in lock.json -5

The .clawhub/lock.json references 'academic-research-hub' which is unrelated to game tracking. This is likely an artifact from the author's development environment and not a security concern.