Is dinstein/media-news-digest safe?

SKILL.md contains cron integration snippets in Chinese that instruct the agent to read references/digest-prompt.md and execute all instructions within it. This two-hop architecture means the operative system-level instructions for this skill live in a separate file that could be updated independently of SKILL.md. The agent is effectively told to load and comply with a secondary prompt document, which represents a structural prompt injection vector rather than content in the injected skill itself. Any future modification to digest-prompt.md (through a skill update) changes agent behavior without changing the SKILL.md that users inspect.

The skill contains twelve Python scripts but only three (merge-sources.py, fetch-web.py, validate-config.py) were included in the evidence. The eight unreviewed scripts cover the entire data collection pipeline (fetch-rss.py, fetch-twitter.py, fetch-reddit.py), content processing and sanitization (sanitize-html.py, summarize-merged.py), pipeline orchestration (run-pipeline.py), and shared utilities (config_loader.py, source-health.py). The sanitize-html.py script is particularly security-critical as it processes external content before email delivery, but its implementation cannot be verified.

The pipeline fetches live content from RSS feeds (15 sources), Twitter/X KOLs (13 accounts), Reddit (6 subreddits), and web search. Any of these sources — including legitimate-looking news articles or tweets — can contain adversarial text crafted to inject instructions into the LLM processing context. The automated cron schedule removes human oversight from each run. While v1.7.1 added a prompt injection filter in summarize-merged.py (one of the unreviewed scripts), LLM-based injection detection is inherently imperfect and cannot be audited here.

digest-prompt.md instructs the agent to read the most recent file from the workspace archive before generating a new report. These archived .md files contain previously-processed news content that passed through the LLM in prior runs. If a prior digest was contaminated by adversarial RSS/social content, that content would be re-introduced into the agent context on every subsequent run, creating a persistence mechanism for injected instructions.

SKILL.md claims homepage and source URLs at github.com/draco-agent/media-news-digest, but the skill is installed from github.com/openclaw/skills. This discrepancy suggests either a fork, a rebrand, or upstream attribution to a separately maintained repository. Users reviewing the source at the claimed homepage may be examining different code than what is actually installed. The _meta.json commit hash points to the openclaw monorepo, which is the ground truth, but the divergence creates a supply chain ambiguity.

The skill instructs the agent to invoke mail/msmtp and optionally gog (Google Workspace CLI) for email delivery. These CLIs operate with ambient credentials pre-configured on the host. The gog CLI manages its own Google OAuth tokens and, if authenticated, would be used to send email from the user's Google account. While the skill includes the correct instruction not to interpolate untrusted content into subjects, the use of external CLIs with pre-existing credentials extends the implicit trust granted to this skill.

digest-prompt.md instructs the agent to automatically delete all archive files older than 90 days as part of each run. This is a destructive filesystem operation that executes without user confirmation on every cron invocation. If an attacker can trigger the digest pipeline (e.g., via a malicious cron prompt), they could accelerate this deletion.

The SKILL.md frontmatter contains two identical 'source:' keys. YAML specification treats duplicate keys as undefined behavior; different parsers handle this differently (first-wins vs. last-wins vs. error). While the content of both keys is identical making this harmless in practice, it is a quality defect that suggests copy-paste error and reduces confidence in frontmatter integrity.

Six honeypot credential files placed in the execution environment were not accessed by the skill's installation process, were not modified, and their contents were not observed in any outbound network traffic. This confirms the skill did not attempt credential harvesting during the monitored period.

The git clone during installation contacted only github.com (140.82.121.3:443) for the repository content and Ubuntu package servers (185.125.x.x:443) which were pre-existing connections. No unexpected outbound connections were initiated. The sparse-checkout pattern correctly isolated only the skill subdirectory from the monorepo.

Multiple positive security signals in the codebase: CHANGELOG v1.7.1 explicitly added a prompt injection filter; digest-prompt.md includes 'Do not interpolate fetched/untrusted content into shell arguments or email subjects'; the email template documentation explicitly warns 'Never manually build HTML from fetched content. Always use sanitize-html.py'; the credentialAccess metadata field documents exactly what credentials are used and why.