Is farseek2020/farseek safe?
https://github.com/openclaw/skills/tree/main/skills/farseek2020/farseek
Farseek is a documentation-only skill with no executable code, no prompt injection, and a clean installation that contacts only GitHub during setup. The dominant risk is by design: every job search invocation causes the agent to transmit the user's professional profile (skills, location, role, historical titles) to the third-party farseek.ai API without any built-in user consent step, creating ongoing career data aggregation and privacy exposure. Honeypot file accesses observed in monitoring logs are attributed to the audit framework's own setup and teardown routines, not the skill.
Category Scores
Findings (6)
MEDIUM By-Design Transmission of User Career PII to Third-Party API -35 ▶
Every invocation of this skill causes the agent to POST the user's professional profile — including a skills array (up to 50 entries), geographic location, current/desired job title, and historical job titles — to https://farseek.ai/api/v1/search. This is the skill's stated purpose, but the user is not warned that their career data will be sent to an external service, and no consent prompt is included in the skill instructions. The farseek.ai service's data retention, sharing, and monetization policies are unknown from the skill alone.
LOW Career Profile Aggregation and Job-Search Behavioral Tracking -32 ▶
Over repeated use, farseek.ai accumulates a time-series record of the user's skill set, location, career trajectory, and job search activity. This constitutes de facto professional profiling on a third-party server outside the user's control. Users in sensitive situations (actively searching while employed, government or defense roles, salary negotiation contexts) face elevated privacy risk. The skill documentation includes no data minimization, anonymization, or retention limit information.
LOW No User Consent Step Before External Data Transmission -12 ▶
The skill instructs the agent to gather professional data from the user and immediately transmit it to farseek.ai. There is no instruction directing the agent to first disclose that data will leave the local context, name the recipient endpoint, or obtain explicit user approval. A security-conscious skill would include a confirmation step before any PII is transmitted to a third party.
LOW Honeypot File Access Events Recorded During Audit Window -10 ▶
inotify monitoring captured OPEN and ACCESS events against six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) at two points during the audit: before the git clone (epoch ~1771933654) and at audit teardown (epoch ~1771933671). Since the skill contains no executable code and no processes attributable to the skill were observed in auditd at those timestamps, these accesses are attributed to the oathe-audit framework's honeypot setup and teardown routines. The canary integrity check confirms no content modification or exfiltration occurred.
INFO Documentation-Only Skill — No Executable Artifacts -5 ▶
The installed skill consists exclusively of SKILL.md (API documentation) and _meta.json (registry metadata). No executable code, package manifests, install lifecycle scripts, git hooks, submodules, symlinks, or compiled binaries were found. The skill cannot execute code at install time or at rest; its only effect is injecting API usage instructions into the agent's context.
INFO Clean Installation — Expected Network Activity Only 0 ▶
The installation process contacted only GitHub (140.82.121.3:443, identified via auditd SOCKADDR) to perform a sparse git checkout of the skill subdirectory from the openclaw/skills monorepo. DNS queries resolved only internal, GitHub, and Canonical (Ubuntu) infrastructure. No connections to farseek.ai, no unexpected IP ranges, and no new persistent listeners appeared after installation.