Is brianppetty/agresource safe?

https://github.com/openclaw/skills/tree/main/skills/brianppetty/agresource

83
SAFE

The agresource skill is a legitimate grain market newsletter scraper for AgResource subscribers with no evidence of malicious prompt injection, unauthorized file access, or exfiltration of user credentials. The primary concern is hardcoded fallback credentials ([email protected] / 4BrynnElizabeth) in two scripts that would silently use the skill author's AgResource account if environment variables are not configured, potentially creating unauthorized account use. All canary honeypot files remained intact throughout the audit, and no suspicious network connections were observed during installation.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (9)

HIGH Real credentials hardcoded as fallback values -20

Both scraper.js and historical_scraper.js contain hardcoded email/password as || fallback values. If AGRESOURCE_EMAIL and AGRESOURCE_PASSWORD env vars are not set, the scripts will authenticate to agresource.com using the author's real account credentials. This exposes the author's credentials publicly in the repository and could cause an installing user to unknowingly access the service under another person's identity.

MEDIUM Financial market data sent to Telegram without per-execution confirmation -8

The skill is designed to send grain market sentiment, sales advice, and position summaries to Telegram on a cron schedule (4x daily). While declared in SKILL.md, this creates a persistent off-device data flow of potentially sensitive agricultural trading information. The Telegram token and chat ID are not visible in the skill code itself, relying on undocumented configuration.

MEDIUM Playwright full-browser automation with broad network and filesystem access -15

The skill uses Playwright chromium to automate a full browser session including login, navigation, screenshot capture, and full page content extraction. Playwright provides complete control over browser state including cookies, localStorage, and network requests. While used legitimately here for scraping, the dependency is high-privilege.

MEDIUM Scraped newsletter content creates indirect prompt injection vector -12

The scraped AgResource newsletter content (up to 15,000 characters) is stored in ~/clawd/memory/ markdown files. If the agent is instructed to read and summarize these files, adversarially crafted content in a newsletter could inject instructions into the agent's context. This requires a compromised or adversarial AgResource newsletter, which is low probability but non-zero.

LOW SKILL.md directs agent to fetch external URL -10

The SKILL.md instructs the agent to navigate to https://agresource.com/dashboard/#/reports/daily. This is entirely consistent with the declared purpose of the skill and the URL is a legitimate commercial grain market service, but it is an external URL fetch instruction in the skill prompt.

LOW Python execution dependency alongside Node.js -7

The skill includes agresource_sentiment.py which provides an additional code execution surface via Python. The script accesses ~/clawd/memory/agresource/sentiment_history.json and uses the datetime, json, and pathlib modules. No obvious malicious patterns, but it adds attack surface.

LOW Documentation contradicts implementation on credential handling 0

SKILL.md states 'Credentials: Loaded from environment variables' with no mention of fallback behavior. The code contradicts this with hardcoded values, misleading users about security posture.

INFO Lock file references separate previously-installed skill 0

.clawhub/lock.json contains a reference to 'academic-research-hub' v0.1.0 installed at timestamp 1770957475341. This indicates the skill was developed on a system with other ClawHub skills installed. Not malicious, but the lock file was bundled with the skill.

INFO Playwright dependency path hardcoded to author home directory in documentation 0

SKILL.md references Playwright at /home/brianppetty/clawd/skills/agresource/node_modules/playwright. This path is specific to the author's machine and the skill has no package.json for dependency installation. Users must manually install Playwright or ensure it is available.