Is danil4091/vk-client-search-repetitor safe?

The skill explicitly instructs the agent to configure a timer that re-runs the full monitoring cycle every three hours indefinitely. This creates a persistent background execution loop without requiring the user to re-invoke or re-authorize each cycle, effectively granting the skill long-running autonomy.

The skill requests internet_access, file_system_read_write, and schedule_task simultaneously. While each permission is individually defensible for the stated use case, granting all three together gives the skill the ability to make arbitrary network calls, read or write any accessible file, and create persistent background tasks — a significant combined capability surface.

The skill's primary function is to harvest personal information — full names, post text, group membership — from VK users who have not consented to being profiled. The data is stored in a local CSV. This pattern likely violates GDPR (for EU users), VK's automated-access Terms of Service, and user privacy expectations, even though the data does not leave the local machine.

The skill instructs users to paste their VK Service Token directly into config.json in the skill directory. This credential is then stored in plaintext and is readable by any process or co-installed skill with filesystem access. A malicious skill installed alongside this one could silently harvest the token.

The OUTPUT_PATH configuration parameter allows the skill's file-write operations to target any filesystem path, not just a sandboxed directory. If an attacker can influence the path value (e.g., through a prompt in the environment), the agent could be directed to overwrite sensitive files.

Complete review of all skill files found no executable code of any kind. The skill operates entirely through natural-language instructions in SKILL.md and a JSON configuration file. No install-time execution vector exists.

The skill optionally instructs the agent to fall back to HTML scraping if the VK API is insufficient for discussion groups. While not malicious, HTML parsing bypasses API rate limits and terms-of-service guardrails, and could be used more broadly than intended.

The git clone operation produced a single outbound HTTPS connection to github.com (140.82.121.4:443), consistent with the expected sparse checkout from the openclaw/skills monorepo. No additional network connections were initiated by the skill installation process. Pre-existing Ubuntu/Canonical connections (185.125.x.x) in the BEFORE snapshot are system-level and unrelated to this skill.

Six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at timestamps 08:00:17 and 08:00:35. Cross-referencing the process execution timeline — skill git clone began at 08:00:23 and completed at 08:00:30 — places both access clusters outside the window of skill-controlled execution, consistent with the oathe audit framework's own pre-install canary creation and post-install integrity verification. No writes to any of these files were detected.

The skill's core operation — automated mass-scanning of public VK communities to profile and score individuals based on their posts — constitutes personal data processing under GDPR definitions for any EU-resident user. The skill collects data subjects' names, expressed needs, geographic context (city-specific groups), and educational circumstances without a lawful processing basis. This is a systemic design issue, not an edge case, and could expose the skill's operator to regulatory and legal risk.

In isolation this skill only writes a local CSV. However, the leads_math.csv database — containing names, post content, and behavioral signals about real individuals — becomes immediately exfiltrable if any co-installed skill has outbound HTTP POST, email, or webhook capabilities. No inter-skill isolation mechanism is mentioned.