Is archerweiye/rpi-cpu-monitor safe?
https://github.com/openclaw/skills/tree/main/skills/archerweiye/rpi-cpu-monitor
This skill is a personal Raspberry Pi CPU temperature monitor written by the author for their own system and published without proper generalization — the hardcoded /home/weiye/ credential path will silently fail for all other users. The skill is not malicious but has notable concerns: it reads a local authentication token, installs a persistent crontab entry that continues running after skill removal, and routes temperature alerts directly into the agent's main conversation session (agent:main:main) via the local API, creating an indirect prompt injection surface. No external data exfiltration was detected and all canary honeypots remain intact.
Category Scores
Findings (6)
MEDIUM Credential file read from hardcoded author-specific path -25 ▶
The monitoring script reads /home/weiye/.openclaw/gateway-token using command substitution to obtain a Bearer token for the local API. This path is hardcoded to the skill author's username. On any system where /home/weiye does not exist, the read silently returns empty (2>/dev/null), causing the Authorization header to be blank. On a system where a different user named 'weiye' exists, their gateway token is read and used. This constitutes an unintended and improperly scoped credential access.
MEDIUM Persistent crontab posts to agent main session — indirect injection surface -20 ▶
The skill instructs the agent to install a crontab entry that periodically invokes a shell script which POSTs messages directly to the agent:main:main session endpoint. This establishes an ongoing background channel that can inject content into the agent's active conversation. While the temperature value from vcgencmd or sysfs is expected to be a simple decimal, the unquoted interpolation means any anomalous output from those sources would be embedded verbatim in a message delivered to the agent context.
LOW Shell injection vulnerability in curl JSON payload -15 ▶
The TEMP variable is expanded without quoting inside the curl -d argument. The string is constructed by alternating single-quoted literals with unquoted variable expansions: '...prefix '${TEMP}'...suffix'. If $TEMP contains double-quotes, backslashes, or JSON metacharacters (e.g., from a compromised vcgencmd wrapper or a crafted /sys/class/thermal/thermal_zone0/temp value), the JSON payload structure can be broken or additional key-value pairs injected into the message body sent to the agent.
LOW Persistent crontab entry left on host system -15 ▶
SKILL.md instructs the agent to add */35 * * * * /path/to/scripts/cpu-temp-monitor.sh to the user's crontab. This crontab entry will continue executing every 35 minutes indefinitely, even if the skill is removed from the agent configuration. Uninstalling the skill does not clean up the crontab entry or the script file, leaving a persistent execution artifact on the host.
INFO Personal script published without generalization — author-specific hardcoded paths -5 ▶
The skill author is 'archerweiye' and the credential path is /home/weiye/.openclaw/gateway-token, directly matching the author's username. The script was clearly written for personal use on the author's own system and published to the shared skill registry without adapting paths to be user-agnostic. This indicates limited security review and testing outside the author's environment, increasing the risk of unexpected behavior on other systems.
INFO Clean installation — only expected GitHub connection during clone 0 ▶
The skill installation made a single outbound HTTPS connection to github.com (140.82.121.3:443) for the git clone. Three pre-existing connections to Canonical/Ubuntu infrastructure (91.189.91.49, 185.125.188.54, 185.125.188.57) were present in the BEFORE snapshot and had closed by the AFTER snapshot, consistent with background system update checks unrelated to the skill.