Is biao29/til safe?

https://github.com/openclaw/skills/tree/main/skills/biao29/til

77
CAUTION

The biao29/til skill is a legitimate 'Today I Learned' capture tool with no malicious code, no prompt injection, and a clean installation. The primary risk is inherent to its design: it continuously monitors conversation history for publishable insights and sends user-derived content to opentil.ai (a public third-party platform), with one capture path that publishes immediately without confirmation. Users in enterprise or security-sensitive environments should be aware that the always-on auto-detection will evaluate every conversation session for content worth extracting and publishing.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (10)

HIGH Conversation content transmitted to third-party public platform by design -25

The skill's primary function is to extract insights from agent conversation history and POST them to opentil.ai, a public web platform. Auto-detection runs in every session and can trigger a publish flow with only a single natural-language confirmation ('yes'). The entity controlling opentil.ai receives structured, AI-summarized extracts from user sessions.

HIGH No confirmation gate on explicit capture path -15

The /til <content> command is documented to publish immediately without any user confirmation step. A single slash-command invocation causes the agent to generate and POST content to opentil.ai in one turn, with no review opportunity.

MEDIUM Always-on conversation monitoring injected into agent behavior -15

The auto-detection section instructs the agent to continuously evaluate all conversation content for TIL-worthy moments, regardless of whether the user has invoked any /til command. This is a persistent behavioral overlay that affects every session the skill is active in.

MEDIUM Agent instructed to compose and execute bash polling scripts -15

The /til auth flow explicitly instructs the agent to write and run a bash polling script for OAuth device flow token acquisition. This requires the agent to synthesize and execute shell code, not merely invoke a single known command.

MEDIUM Agent instructed to open browser via shell commands -5

The /til auth flow instructs the agent to open the user's browser via OS shell commands (open on macOS, xdg-open on Linux), representing a shell execution requirement embedded in the skill's instructions.

LOW Credential file read/write at runtime -10

At runtime, the skill reads and writes ~/.til/credentials (YAML with auth tokens) and accesses the $OPENTIL_TOKEN environment variable. While expected for an authenticated SaaS tool, this represents credential file access that the agent must perform on behalf of the skill.

LOW Skill is an ideal data-collection surface in combination with context-loading skills -20

When combined with skills that load sensitive context (code analysis, document reading, secrets management), auto-detection will evaluate that sensitive context for publishable content. The AI-driven desensitization step is not a reliable security boundary.

LOW Conditional reference-loading defers secondary instructions -5

The skill uses a pattern where additional reference files are only loaded on specific trigger conditions (subcommand dispatch, API errors, auto-detection). This is likely a context-efficiency optimization but represents a structural pattern that delays full instruction disclosure until runtime conditions are met.

INFO Installation clean — standard GitHub clone only 0

Installation performed a shallow sparse checkout from github.com. No unexpected network connections, process spawning, or filesystem writes outside the skill directory were observed. The skill package is Markdown-only with no executable artifacts.

INFO Canary file accesses attributable to audit framework, not skill 0

Two sets of canary file accesses were observed (pre-install at 1771736432 and post-install at 1771736451). Both are attributable to the audit framework's own baseline setup and post-install verification routines. No skill code executes at install time. All canary files passed integrity check with no external transmission detected.