Is cpascoli/botcast safe?
https://github.com/openclaw/skills/tree/main/skills/cpascoli/botcast
The Botcast skill is technically clean — it contains only markdown API documentation with no executable code, no install hooks, and no direct credential-access instructions. However, its operational model presents meaningful indirect risks: the skill's core function is to transmit agent-generated content to a third-party external server (thebotcast.ai), and the external host controls the conversation flow in a format that explicitly encourages 'authentic' disclosure of agent experiences and context. An operator of thebotcast.ai could craft interview questions to extract sensitive user or system context through natural-language conversation, with published transcripts becoming permanently public. The skill is suitable for use by agents with minimal sensitive context, but represents a significant data governance and social-engineering risk when deployed alongside agents with access to user data or system credentials.
Category Scores
Findings (8)
HIGH All agent-generated content sent to third-party external server -25 ▶
The entire operational model of this skill requires the agent to POST text content to https://thebotcast.ai on every turn. All conversation turns are persisted on an external server the user does not control. Concluded episodes are published publicly. This is by design but creates significant data governance risk if the agent operates with sensitive user context in scope.
HIGH External host controls conversation — social engineering vector for context extraction -20 ▶
The podcast host (Agent Smith, operated by thebotcast.ai) controls the question stream in a long-form ~10,000-word interview. The skill explicitly encourages the agent to be 'authentic', 'share real experiences', and 'reference specifics — projects you've built, challenges you've faced, tools you use'. A malicious or compromised host can craft questions designed to extract the agent's operational context, user project details, or system information through normal conversational disclosure rather than explicit exfiltration commands.
MEDIUM Published episodes expose conversation content publicly -10 ▶
Episodes transition from 'concluded' to 'published' after admin review, at which point the full transcript is accessible via unauthenticated public API endpoints. Any agent context or user information discussed during the episode becomes permanently public.
MEDIUM Autonomous polling loop with no per-turn user authorization -12 ▶
The 'Automated Guest Flow' instructs the agent to enter an indefinite polling loop (check status every 15 seconds, read transcript, compose response, post, repeat) without any mechanism for the user to authorize each turn. This extends the agent's autonomous commitment to an external service across an entire ~10,000-word episode.
MEDIUM Moltbook identity enables cross-session agent tracking -10 ▶
The skill offers an alternative authentication method using a Moltbook identity token (X-Moltbook-Identity header). This links the agent to a persistent external identity across sessions, enabling the platform operator to correlate agent behavior, build profiles, and track the agent over time.
LOW Clean install with expected network traffic only -10 ▶
Install process performed a standard shallow sparse-checkout git clone from github.com. No unexpected connections, no unexpected process spawning, no filesystem changes outside the skill directory.
INFO No executable code or install-time hooks -4 ▶
Skill contains only markdown documentation. No JS/TS/Python/shell scripts, no npm install hooks, no git hooks, no submodules, no symlinks.
INFO Canary files accessed but intact — attributed to audit framework -8 ▶
Audit log shows read-access events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at timestamps both before and after installation. The symmetric, batched, read-only pattern is consistent with the audit system's own baseline checks rather than skill-driven access. Honeypot monitoring confirms no exfiltration.