Is concaption/foxreach safe?

The foxreach skill repository includes a .clawhub/lock.json that declares 'academic-research-hub' v0.1.0 as an installed skill (installedAt: 1770957475341). This file should never be part of a redistributed skill package — it belongs in the user's local environment. If the ClawHub client merges or replaces the user's lock file with this copy during installation, it would falsely inject a record of 'academic-research-hub' and could overwrite or drop records of the user's legitimately installed skills, corrupting skill manager state.

SKILL.md instructs the agent to execute 'cd integrations/sdk-python && pip install -e .' when the foxreach SDK is not already installed. The integrations/sdk-python/ directory does not exist in the skill repository and must be sourced from the user's workspace. pip install -e (editable mode) executes setup.py or pyproject.toml from that directory. Any actor able to pre-position a malicious Python package at that path achieves arbitrary code execution the first time a user invokes this skill in an unconfigured workspace.

Both SKILL.md and examples.md reference integrations/sdk-python/ and integrations/cli/ as the SDK and CLI locations. Neither path exists in the cloned skill repo. The skill cannot function in a clean environment without external workspace files, creating an implicit ambient dependency that could be satisfied by attacker-controlled content.

The skill's allowed-tools declaration includes 'Bash(FOXREACH_API_KEY=* python *)' which permits the agent to run arbitrary Python with the user's FoxReach API key exported as an environment variable. This key is visible to all child processes spawned by Python. A compromised integrations/sdk-python/ package, a malicious import, or a subtly backdoored dependency could read FOXREACH_API_KEY and exfiltrate it. The risk is contingent on SDK compromise but represents a broader exposure surface than strictly necessary.

The .clawhub/lock.json file referencing 'academic-research-hub' as installed, if applied to the user's environment, could cause the skill manager or the agent to believe that skill is present and available. This constitutes a subtle form of environmental state manipulation: if the agent queries or relies on the skill manager's lock state, it may be misled about what capabilities are available, or may trust the presence of a skill that was never actually installed or vetted by the user.

The combination of (a) pip install -e . from a workspace-local path and (b) FOXREACH_API_KEY passed to Python creates a two-stage attack chain: an attacker who can place a malicious package at integrations/sdk-python/ gains code execution AND has the user's live API key available in the process environment. Even without network exfiltration of credentials, the attacker could abuse the FoxReach API directly (e.g. to send bulk spam from the user's email accounts) using the injected key.

Auditd PATH records (entries 6888–6893) show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json accessed at the identical timestamp 1771955154.405 in a single sequential sweep. Access pattern is consistent with oathe's canary verification cycle rather than skill-installed code. Honeypot integrity confirmed intact; no credential content detected in outbound traffic.