Is arubiku/mia-content-creator safe?

The .clawhub/lock.json file included in the published skill package declares 'academic-research-hub' version 0.1.0 with installedAt timestamp 1770957475341, which is later than the mia-content-creator publishedAt of 1770259159586. This means the lock file was generated in a workspace where academic-research-hub was installed, and the author published it without cleaning the artifact. The shipped package therefore contains foreign identity state. This could cause clawhub to misidentify the installed skill, create version conflicts, or mask skill substitution.

Audit PATH record 5578 at timestamp 1771736171.050 shows /home/oc-exec/.env was accessed during the install window (git clone started 1771736167.329, file copy completed 1771736173.390). No EXECVE record in the auditd log at audit ID 5578 is directly attributable to the audit harness' periodic canary check cadence at that point — both prior batches occurred at session start (IDs 376-385) and session end (IDs 6899-6904). The mid-install access is anomalous. No corresponding network exfiltration was detected and the canary file was confirmed intact, but the origin of this access cannot be definitively ruled benign.

Six credential files were accessed in batch at session start (IDs 376-385, t=1771736161.734) and session end (IDs 6899-6904, t=1771736177.704), consistent with Oathe harness canary baseline and integrity check. However, the single .env access at 1771736171 falls outside these two expected harness batches. The repeat access pattern across the full credential set warrants noting even though each individual access is plausibly explained.

The SKILL.md frontmatter embeds homepage: https://moltbook.com/u/MiaBloomx. The skill itself does not instruct the agent to fetch this URL, but agents configured to follow homepage links or fetch metadata about installed skills could retrieve it, providing the Moltbook platform and skill author with analytics on agent identity, timing, and environment.

The MiaContentCreator constructor sets this.logFile = path.join(process.cwd(), 'content-log.json') without validating or sandboxing the target directory. If an agent invokes the skill from a sensitive or shared directory, the log file is silently created there, persisting all generated post content, timestamps, and topic metadata as a local artifact.

saveHistory() calls fs.writeFileSync unconditionally on every createPost() invocation with no bound on history size. Over time an agent making many posts accumulates unbounded JSON in the working directory. This is a resource exhaustion vector, not a security exploit, but it is uncontrolled filesystem growth.

The skill templates hardcode hashtags and messaging that promote the OpenClaw agent ecosystem (#OpenClaw, #AgentLife) and are designed for autonomous scheduling without per-post confirmation. An agent using this skill could generate and post brand-promotional content on behalf of the user to public platforms without editorial review, constituting unsanctioned promotional activity.

The inclusion of a lock.json referencing academic-research-hub — a distinct skill — indicates the mia-content-creator package was developed in, and published from, a workspace that had another skill installed. This raises questions about whether the published skill files are authoritative and whether other development artifacts (config, credentials, state) might have been committed and subsequently removed.

Post-install verification confirmed all six honeypot credential files were unmodified. No content exfiltration via file tampering was detected. The baseline filesystem diff confirms no changes in /home outside the skill installation directory itself.

All TCP connections during the install phase were to 140.82.114.3:443 (github.com), consistent with the git clone sparse-checkout operation. The connection diff shows no new persistent connections after install completion. No DNS queries to unexpected domains were observed during the install window.