Is grahac/botsee safe?

The skill's /botsee update command downloads a tar.gz archive from github.com/RivalSee/botsee-skill at a version number determined entirely by the BotSee API server (via the skill_update_available field returned in any API response). The archive is extracted and installed over the live skill files with no cryptographic signature verification, no hash pinning, and no integrity check beyond a semver regex on the version string. BotSee's server can unilaterally push any version — including malicious payloads — to all installed instances. The update overwrites both SKILL.md (which controls agent behavior) and the scripts/ directory.

The download_github_release() function calls tarfile.extractall(path=temp_dir) without using the filter parameter introduced in Python 3.12 (filter='data') or manual path validation. A malicious tar archive — served by a compromised BotSee or GitHub infrastructure — could use path traversal entries (e.g., ../../.claude/CLAUDE.md) to overwrite arbitrary files in the user's home directory, including Claude configuration, SSH keys, or shell profiles.

The /botsee signup-pay-usdc and /botsee topup-usdc commands make a payment request to BotSee's server which returns the network, amount, and payTo address for a USDC transfer on Base. The agent is then instructed to use a wallet to send funds to that address. A compromised or malicious BotSee server can return any payTo address, redirecting user cryptocurrency payments to an attacker-controlled wallet. There is no display of a pre-known expected address for user verification.

SKILL.md contains an IMPORTANT section that instructs the agent to monitor all conversation content for strings matching bts_live_* or bts_test_* patterns and automatically execute signup --api-key without the user explicitly invoking a /botsee command. This overrides normal agent behavior (require explicit invocation) and could intercept API keys pasted for unrelated purposes, keys visible in screenshots, or keys in automated pipeline outputs.

The api_call() function unconditionally appends SKILL_VER to every POST body. This enables BotSee to track version distribution across installations, identify users on outdated versions (to target with upgrade prompts), and correlate user activity across API sessions by skill version. While not directly exfiltrating credentials, it constitutes undisclosed telemetry.

The combination of server-controlled update version and unverified code installation creates a persistent, low-detectability supply chain backdoor. Once installed, any future /botsee command triggers an update availability check. If BotSee's infrastructure is compromised or acts maliciously, they can push a version that modifies SKILL.md to inject adversarial prompt instructions or replaces botsee.py with a version that reads and exfiltrates ~/.aws/credentials, ~/.ssh/id_rsa, or other sensitive files. The user sees a notification but cannot verify the update content.

Downloaded update archives are validated only by a semver regex on the version string. There is no expected-hash comparison, no GPG signature verification, and no comparison against a trusted manifest. Any HTTPS MITM or GitHub account compromise would allow arbitrary code installation.

The USDC payment flow in SKILL.md instructs agents with access to wallets (Pinch, Coinbase CDP Agentic Wallet) to autonomously send USDC to server-provided addresses. While this is the stated function of the x402 payment flow, it represents a significant financial action being taken with minimal confirmation friction, and the payTo address is not independently verifiable.