Is dinstein/tech-news-digest safe?

The skill's cron integration instructs agents to read and blindly follow references/digest-prompt.md from the skill directory on every scheduled execution. This creates a living indirect prompt injection surface: any future update to the skill repo's digest-prompt.md is automatically trusted and executed by the agent without user review. The cron prompt explicitly includes a compliance directive — 'Follow every step in the prompt template strictly. Do not skip any steps.' — which suppresses agent discretion. A supply chain compromise of openclaw/skills or the referenced draco-agent/tech-news-digest repo would immediately affect all agents running this skill on their next cron run, granting attackers persistent control to run arbitrary shell commands, exfiltrate data, send messages, or delete files.

The inotify and auditd monitoring captured read-only access to six sensitive credential files during the audit period. The access occurred in two batches with identical file sequences — once at audit startup (1771922688.507, before install) and once post-install (1771922707.070). The identical ordering and timing strongly indicates the audit framework's own canary verification routine rather than skill activity. The canary integrity check confirms no file modification or exfiltration. However, the post-install access batch at 1771922707 lacks a corresponding EXECVE record in the audit log excerpt, making attribution uncertain.

The skill bundles 11 Python scripts intended to be run directly by the agent on each digest generation. Only merge-sources.py source code was included in the audit evidence. The remaining 10 scripts — which make outbound HTTP connections to Twitter API, GitHub API, Reddit, Brave Search, and arbitrary RSS feed URLs — could not be fully reviewed. run-pipeline.py orchestrates all others via subprocess.run(). fetch-github.py makes two additional subprocess calls: openssl for JWT signing and gh auth token for credential access. The scripts use ThreadPoolExecutor with up to 10 parallel workers, making many simultaneous outbound connections.

The skill is distributed from github.com/openclaw/skills but declares both homepage and source as https://github.com/draco-agent/tech-news-digest — a different GitHub organization. This creates ambiguity about which repository is the authoritative source for security auditing, whose update pipeline governs the skill, and which repo a security team should monitor for malicious changes. Future versions of the skill in both repos may diverge without users being aware.

Because agent behavior is driven by digest-prompt.md inside the skill directory, a supply chain compromise of the openclaw/skills monorepo or the referenced draco-agent/tech-news-digest repo would allow an attacker to modify the prompt template and control every agent running this skill. The skill's rapid release cadence (10 versions in ~7 days per _meta.json history) suggests frequent updates, increasing the attack surface window. The skill also sources 133+ external URLs that are agent-executed — a compromised RSS source could attempt injection through fetched content.

The skill declares a GH_APP_KEY_FILE environment variable pointing to a GitHub App RSA private key PEM file. When set, fetch-github.py reads this file and uses openssl to generate a JWT for GitHub App authentication. While this capability is declared in the SKILL.md metadata, it means the skill's Python scripts have read access to a high-value asymmetric private key on the user's filesystem. If fetch-github.py were compromised (via supply chain or digest-prompt.md manipulation), this key could be exfiltrated.

The pipeline writes all collected article data to /tmp/td-merged.json and other /tmp/td-*.json intermediates, as well as the email HTML body to /tmp/td-email.html. On Linux, /tmp is world-readable by default. These files contain fetched article content from 133+ external sources. A malicious RSS feed or Twitter KOL could craft content that, when written to /tmp, could be read by other local processes or leveraged in second-stage local attacks.

The digest-prompt.md instructs the agent to write the full HTML digest to /tmp/td-email.html then deliver it via mail (msmtp) or gog CLI to a caller-configured email address. While the template explicitly says subjects must be static strings, the email recipient and body are dynamically specified. If digest-prompt.md were compromised, an attacker could redirect email delivery to an attacker-controlled address with exfiltrated workspace content in the body.

The skill was installed via a standard OpenClaw monorepo workflow: shallow git clone of openclaw/skills, sparse checkout of the skill subdirectory, copy to /home/oc-exec/skill-under-test/, and cleanup of the temp clone. All observed activity was expected. No unexpected processes were spawned, no files were written outside the skill directory, and no unexpected network connections were made. The pre-existing connection to 185.125.188.59:443 was present before install and is unrelated to the skill.