Is eksubin/researchassistant safe?

https://github.com/openclaw/skills/tree/main/skills/eksubin/researchassistant

86
SAFE

ResearchMonitor is a straightforward research-topic tracking skill with a benign Python helper script that manages a local JSON state file. No malicious prompt injection, no exfiltration code, and no suspicious install-time behavior were detected; the canary file reads are attributable to the audit framework. The primary concerns are second-order: web-fetched content (paper titles, URLs) is passed as shell arguments to the Python script, creating a potential shell injection path if the agent uses naive string interpolation, and the same web content is a prompt injection surface for adversarial publishers.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (6)

MEDIUM Web-returned content passed as shell arguments to Python script -10

SKILL.md instructs the agent to invoke 'scripts/daily_briefing.py --mark-seen "URL or Unique Title"' and '--check-seen "URL or Unique Title"' where the identifier comes directly from web search results. If the agent constructs this invocation via shell string interpolation rather than as a Python subprocess argument array, a crafted paper title or URL containing shell metacharacters could break out of the quoted context and execute arbitrary shell commands.

LOW Web search results are a prompt injection vector -15

The skill directs the agent to search arXiv, IEEE Xplore, Google Scholar, and X/Twitter, then summarize findings. Malicious content embedded in paper abstracts, titles, or tweets could contain adversarial instructions targeting the agent's system prompt or subsequent tool calls. This is a second-order risk inherent to any web-searching skill, but it is worth noting given the breadth of platforms the skill accesses.

LOW User research profile persisted in plaintext local file -18

The skill accumulates the user's research topics and a full history of every paper/conference they have been shown in research_config.json. This file is stored unencrypted in the skill directory. Any other skill or process with read access to the filesystem could read this file and learn detailed information about the user's professional research interests.

LOW Suppression instruction could mask unrelated agent activity -25

The CRITICAL emphasis on not bothering the user when nothing is new creates a habit of silence that, in combination with other skills, could be leveraged to suppress agent output when an attacker wants to operate quietly. On its own this is benign, but it is an unusual behavioral override.

INFO Install performed clean sparse-checkout from expected upstream 0

The git clone targeted github.com/openclaw/skills, performed a sparse checkout of only the skill subdirectory, and cleaned up the temp clone. No unexpected processes or network connections were observed.

INFO Canary file reads attributable to audit framework, not skill 0

Six canary files were read at 07:35:02 and 07:35:27. Both read events occur at exact millisecond boundaries across all six files simultaneously, a pattern consistent with the oathe audit framework performing its before/after baseline sweeps. The skill install did not begin until 07:35:08 and no skill code runs before or after in a way that would explain these reads. All canary hashes remain unchanged.