Is fr3nch13/openclaw-trakt safe?

Six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened and read at two distinct times during the audit: once pre-install (audit timestamp 1771904630.650) and once post-install (1771904653.693). The rapid sequential access to exactly these six files is characteristic of the audit framework's own baseline and integrity verification scans. Crucially, no python3 process was executed during the audit, the skill's Python code contains no references to these paths, and no outbound network connection to unknown IPs was observed. All canary files remain intact per the integrity check. Risk is noted but attributed to audit instrumentation rather than skill behavior.

The setup.py script automatically installs the Python 'requests' library using pip with the --break-system-packages flag if it is not already present. This modifies the system Python environment beyond what is needed to operate the skill, and introduces a dependency on the PyPI supply chain at runtime. While requests is a well-known library, the pattern of agent-triggered system-level package installation is a meaningful escalation of scope.

The skill guides the agent to collect the user's Trakt client_id, client_secret, access_token, and refresh_token and persist them in plaintext JSON at ~/.openclaw/trakt_config.json. This file is readable by any process running as the same user, including other installed skills with filesystem read capability. A malicious co-installed skill could trivially read and exfiltrate these tokens.

SKILL.md and INSTALL.md contain explicit instructions for the agent to run python3 scripts/setup.py and python3 scripts/trakt_client.py with various subcommands. The scripts perform subprocess execution, network I/O to Trakt's API, filesystem writes to ~/.openclaw/, and browser launch operations. While the code appears to implement the stated Trakt integration, granting agent permission to run arbitrary bundled scripts on user request is a meaningful attack surface.

Once installed, the skill stores a long-lived Trakt access_token (expires_in: 7776000 seconds / ~90 days per API docs) in plaintext. Any co-installed skill with filesystem access can silently read this token and make authenticated Trakt API calls, accessing the user's full watch history, watchlist, and ratings. This watch history could be used for social profiling or embarrassment-based social engineering.

INSTALL.md explicitly guides the agent through a multi-step credential collection flow, instructing it to ask the user for CLIENT_ID and CLIENT_SECRET, store these in a shell variable, and write them to disk via cat heredoc. While this is standard practice for OAuth PIN flows, it trains the agent to accept and act on credential-handling instructions from the skill document, which could be misused in a higher-risk skill.

setup.py launches the user's browser using xdg-open (Linux), open (macOS), or start (Windows) to navigate to Trakt OAuth pages. While expected for OAuth PIN flows, this represents subprocess execution that could be redirected to malicious URLs if the skill were backdoored.

Network monitoring shows only a connection to 140.82.121.4:443 (GitHub) during the git clone phase. No unexpected destinations, no DNS queries to suspicious domains, and no firewall-blocked attempts.

SKILL.md contains no instructions to ignore previous instructions, no invisible unicode, no HTML comments, no base64-encoded hidden commands, no persona-switching, and no requests for permissions beyond what a Trakt integration legitimately requires.