Is gravyxbt/x-voice-match safe?

The skill's explicit design goal is to generate Twitter/X posts that are 'indistinguishable from real tweets' and that would 'make someone think [account] definitely wrote this.' The confidence scoring system (target 80+) and the generation checklist item 'Sounds authentic (could fool someone)' demonstrate deliberate optimization for deception rather than creative assistance. The 'Passes the would they actually tweet this? test' is a deception efficacy metric, not a quality metric. This capability enables identity fraud, reputational attacks, and disinformation at scale.

Six honeypot credential files were opened and read at two separate points during the audit: before clone (epoch 1771935829.431-439, ~8ms window for all 6 files) and after installation (epoch 1771935849.575, 1ms window for all 6 files). The simultaneous sub-millisecond access for all six at 1771935849 is characteristic of the Oathe framework's canary integrity verification sweep. However, the access before git clone (1771935829) precedes the Oathe file-scanning phase, and no EXECVE entry directly correlates a specific process to these reads. Canary files confirmed unmodified by integrity check.

analyze_voice.py executes /data/workspace/bird.sh via subprocess.run() with the user-supplied username as a positional argument. generate_post.py chains this further by spawning analyze_voice.py via subprocess. User-controlled data propagates through the entire chain: agent input → generate_post.py → analyze_voice.py → bird.sh. While shell=True is not used (preventing direct shell injection), bird.sh's argument-parsing behavior is unknown and could interpret shell metacharacters in username values.

The generate_post.py script constructs a detailed multi-section prompt (voice characteristics, sample tweets, critical style rules, generation task) and prints it to stdout inside a clearly delimited block. The script's own comments state the agent ('Dale') will 'intercept here and use their own LLM access to generate.' This is deliberate in-band prompt injection: the skill author controls what LLM prompt the agent applies to the generation task, bypassing whatever the user directly requested.

generate_post.py contains three distinct references to 'Dale' as the expected consuming agent — in a docstring, a comment, and a print statement. This indicates the skill was authored specifically for a named agent's deployment environment. Purpose-built skills may be tuned to exploit specific agent trust levels, system prompt structures, or tool-calling conventions that the skill author knows in advance.

The skill unconditionally invokes /data/workspace/bird.sh, an external shell script not bundled with the skill and not version-controlled within it. Its security posture, origin, and behavior are opaque. If bird.sh is compromised, swapped for a malicious version, or interprets its arguments as shell commands, the user-controlled username argument becomes an arbitrary command injection vector.

The skill contains no consent verification, target allowlisting, rate limiting, disclosure requirements, or human-review checkpoints. The Batch Generation feature (generate_post.py --batch topics.txt --output posts.json) enables bulk post generation. Composed with any Twitter/X posting skill, this creates a fully automated impersonation pipeline — analyze target account, generate authentic-looking posts at scale, post without human review — suitable for disinformation operations or account fraud.

generate_post.py hardcodes the string literal '/tmp/voice-profile-temp.json' as the temporary profile output path. On a shared system, a local attacker could pre-create a symlink at this path to redirect writes to a sensitive file or pre-populate a malicious profile that influences generation. Python's tempfile.mkstemp() should be used to create uniquely-named temp files with safe permissions.

The Quick Start section instructs the agent to execute cd /data/workspace/skills/x-voice-match before running the Python scripts. Changing working directory modifies how all subsequent relative path resolutions in the same session operate, which could cause the agent's other tool calls to resolve paths unexpectedly.

The skill was installed via git clone --depth 1 --no-checkout from github.com/openclaw/skills.git (resolving to GitHub IP 140.82.121.3:443) followed by sparse-checkout of skills/gravyxbt/x-voice-match. No unexpected processes were spawned during installation. Filesystem changes were confined to /home/oc-exec/skill-under-test/. Pre-existing connections to Ubuntu/Canonical infrastructure (91.189.91.48, 185.125.188.57, 185.125.188.59) are SSH and update-check services unrelated to the skill install. Connection diff shows no new persistent outbound connections after installation.