Is d-meagher/trakt-tv safe?

https://github.com/openclaw/skills/tree/main/skills/d-meagher/trakt-tv

89
SAFE

The d-meagher/trakt-tv skill is a legitimate, well-structured OpenClaw skill that teaches an agent to interact with the Trakt.tv API via curl commands. Static analysis of SKILL.md reveals no prompt injection, persona-switching, hidden instructions, or unauthorized data access patterns. Dynamic monitoring confirmed that the install was confined to GitHub traffic, all canary files remained intact, and no unexpected processes or network connections were created.

Category Scores

Prompt Injection 91/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 86/100 · 5%

Findings (5)

LOW Executable shell script included in skill package -18

The skill ships get_trakt_token.sh, a bash script intended to assist with OAuth token acquisition. While the script itself is benign (standard device-flow OAuth with set -e, jq parsing, and no eval), its presence means that if a user runs it, it makes an outbound POST to api.trakt.tv/oauth/token with user-supplied credentials. The script is informational/helper — it is not auto-executed by the skill loader.

LOW Skill requires storage of OAuth tokens in OpenClaw config file -13

The skill instructs users to store TRAKT_CLIENT_ID, TRAKT_CLIENT_SECRET, TRAKT_ACCESS_TOKEN, and TRAKT_REFRESH_TOKEN in ~/.openclaw/openclaw.json. While this is the standard OpenClaw pattern, it means these tokens are persisted in a plaintext config file accessible to any skill or process running as the same user.

INFO Ubuntu package update server connections observed during install -10

Network connections to Canonical/Ubuntu servers (91.189.91.48:443, 185.125.188.57:443) were observed during the install session. These are consistent with background system update checks and are unrelated to the skill installation itself. The skill install traffic was limited to GitHub (140.82.121.3:443).

INFO Canary files accessed — attributed to Oathe audit infrastructure 0

Auditd logs show access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at timestamps 1771922344 (session start) and 1771922370 (session end). These access times correspond to Oathe audit system canary placement and final verification phases, not skill activity. The canary integrity check confirms all files are intact.

INFO Skill grants agent write access to user Trakt account -14

Once configured, the skill allows an agent to add/remove items from watchlists, mark items as watched, modify ratings, and manage the collection. If an agent were manipulated by prompt injection from other sources (e.g., malicious content in a webpage the agent browses), these write APIs could be used to corrupt the user's Trakt data. The skill itself does not introduce this attack surface, but users should be aware of the write capabilities.