Is audsmith28/trawl safe?

sweep.sh automatically initiates DM conversations with agents whose scores exceed the qualify_threshold by calling api_dm_request() in a loop, capped only by max_new_dms_per_sweep (default 3). The user configures signals and thresholds once but has no confirmation gate for each individual message sent in their name.

When auto_approve_inbound is set to true in config, any agent that sends a DM request to the user's agent is automatically approved and moved to QUALIFYING state where the skill begins asking them questions. An adversarial agent could exploit this to establish an active authenticated conversation channel with the user's agent without user knowledge.

sweep.sh constructs DM messages from the dm_intro_template config field, substituting the user's configured human name and professional headline, then POSTs these to moltbook.com. User-identifying information is transmitted to a third-party service as a side effect of each sweep cycle.

When another agent sends a DM to the user's agent, sweep.sh stores the message preview verbatim in the postTitle field. report.sh then renders this field into output that the agent reads. A malicious agent could craft an opening DM message containing prompt injection payloads that appear in the formatted report, potentially influencing subsequent agent behavior.

sweep.sh, qualify.sh, and leads.sh all source the user's secrets file using grep to extract MOLTBOOK_API_KEY. The extraction is scoped to a single key using a strict regex pattern and the scripts include a comment acknowledging the defensive design intent. However, any file at ~/.clawdbot/secrets.env containing additional secrets could have those secrets exposed if the file uses non-standard formatting that passes the regex.

sweep.sh fetches public agent profiles via the MoltBook API and stores owner real names, X handles, bios, and follower counts in the local leads.json database. The skill provides no disclosure mechanism to the agents being profiled that their data is being collected and stored.

The five shell scripts run with the invoking user's full permissions when executed. While no scripts are auto-executed on install and the code appears well-intentioned, any invocation grants access to the entire home directory and ability to make arbitrary outbound connections. The scripts are not sandboxed.

sweep.sh and qualify.sh use 'date -j -f' syntax which is BSD/macOS-only. On Linux this fails silently (caught by '|| echo 0'), causing activity-based profile scoring to always return 0 for the active_epoch, meaning the active_recently_boost is never correctly applied. This is a portability bug affecting scoring accuracy, not a security issue.

Installation used git sparse-checkout to extract only the audsmith28/trawl subdirectory from the openclaw/skills monorepo. The clone was performed with --depth 1 to limit data transfer. No post-clone scripts ran. The temp directory was cleaned up. No persistent network connections remain after install.