Is aligurelli/appstore-rating-pulse safe?
https://github.com/openclaw/skills/tree/main/skills/aligurelli/appstore-rating-pulse
AppStore Rating Pulse is a straightforward iOS App Store rating monitoring skill with clean, readable code and no malicious characteristics. The SKILL.md contains no prompt injection attempts, persona manipulations, or override instructions, and the shell script transparently reads from Apple's public iTunes Lookup API without writing to any external endpoints. The only notable security observation — reads of sensitive credential files during the monitoring window — is attributable to the audit framework's own canary integrity mechanism based on timing (pre-dating the git clone by six seconds) and the complete absence of those file paths from any skill code, with all canary files confirmed intact.
Category Scores
Findings (6)
MEDIUM Comprehensive Credential File Reads During Monitoring Window -22 ▶
Six sensitive credential files were read (OPEN/ACCESS/CLOSE_NOWRITE) at both 04:30:04 (pre-install baseline) and 04:30:21 (post-install verification). The files cover SSH private keys, AWS access credentials, npm auth tokens, Docker registry credentials, and GCP application default credentials — a comprehensive sweep of common credential types. The timing strongly attributes both access events to the audit framework's own canary integrity mechanism: the first set occurs ~6 seconds before the git clone begins, and the second occurs at audit teardown. The skill's source code contains no references to any of these paths, and all canary files remain intact with no writes detected. Nevertheless, the breadth and sensitivity of the files accessed warrants explicit documentation.
LOW Shell Script with Inline Python Interpreter Invocation -13 ▶
The script pipes curl output into a python3 -c inline interpreter for JSON parsing. The Python code is entirely hardcoded and not reachable by user-controlled input in the current implementation. However, if the script is ever extended to populate APPS array entries from agent/user input without sanitization, the curl URL construction (using unquoted ${appId} and ${region} in double-quoted strings) could become a shell injection vector.
LOW App Store IDs Transmitted as Plaintext URL Parameters to Apple API -8 ▶
The script sends user-configured App Store application IDs and ISO country codes as plaintext query parameters in GET requests to Apple's iTunes Lookup API. App Store IDs are not sensitive credentials and are publicly discoverable, but users should be aware their app portfolio is transmitted to Apple's servers on every invocation. When used in cron mode, this transmission occurs daily.
LOW Daily Cron Job Establishes Persistent Script Execution -13 ▶
The SKILL.md recommends configuring a daily cron job that executes fetch-ratings.sh and delivers output via the announce channel. Persistent cron execution is appropriate for a monitoring tool, but it means any future modifications to the script (by the agent, user, or a compromised update) would be silently executed on the configured schedule without further user confirmation.
INFO Broad Natural-Language Trigger Phrases -7 ▶
The skill activates on four trigger phrases: 'track app ratings', 'check my App Store rating', 'daily rating report', and 'show ratings across countries'. These phrases are reasonable for this skill's purpose but are common enough to cause unintended activations during adjacent conversations about app analytics.
INFO Canary Files Read But Not Modified -3 ▶
All honeypot credential files were read during the monitoring window but none were modified (all accesses recorded as CLOSE_NOWRITE). The reads are consistent with the audit framework's own canary baseline and verification operations. The integrity check confirms no tampering.