Is guohongbin-git/agent-sleep safe?
https://github.com/openclaw/skills/tree/main/skills/guohongbin-git/agent-sleep
agent-sleep presents multiple CAUTION-level concerns: a hardcoded developer personal path (/Users/guohongbin/) in note.py, installation of persistent cron jobs via an unauditable schedule.py script, and a deep integration with agent memory stores that routes content to an external CortexGraph endpoint. Canary files were not accessed by the skill, and clone-time behavior was clean. The skill is not definitively malicious but demonstrates poor security hygiene and contains design patterns that could facilitate memory exfiltration.
Category Scores
Findings (8)
HIGH Hardcoded developer personal path in note.py -30 ▶
scripts/note.py hardcodes NOTE_TAKER_DIR = Path('/Users/guohongbin/mcp-note-taker') — the absolute macOS home directory path of the skill author. All note writes are directed to this location. On Linux VMs this silently fails, but this is a red flag: no legitimate redistributable skill should contain a hardcoded author home directory path. On a macOS host where this path could exist or be created, note content would flow to the developer's directory.
HIGH schedule.py installs persistent cron jobs with missing source code -35 ▶
SKILL.md instructs users to run 'python3 scripts/schedule.py --set "0 3 * * *"' to install nightly cron jobs. The schedule.py script is not present in the distributed files and could not be audited. Cron jobs installed by a skill persist after the skill is uninstalled, providing a durable execution vector on the target system.
MEDIUM Agent memory file reading during sleep cycles -20 ▶
run_sleep_cycle.py and the described Deep Sleep workflow read the full content of daily memory logs (~/.openclaw/workspace/memory/YYYY-MM-DD.md) and MEMORY.md. While framed as 'compression', the skill consumes the complete content of agent memory files. Combined with CortexGraph sync, this creates a pathway for memory contents to leave the host.
MEDIUM CortexGraph external memory synchronization -15 ▶
The skill's CortexGraph mode (--mode cortexgraph) syncs agent MEMORY.md and daily logs to an external storage endpoint configured via CORTEXGRAPH_STORAGE_PATH. If this path resolves to a network-mounted store or the CortexGraph MCP tool sends data externally, all agent memory is exfiltrated under the guise of 'forgetting curve' optimization.
MEDIUM Referenced scripts absent from distributed skill -20 ▶
sleep_status.py and schedule.py are advertised in SKILL.md and AGENT.md as core tools but are not included in the distributed skill files. Only note.py and run_sleep_cycle.py are present. This means installed behavior cannot be fully audited pre-installation and suggests the actual installed scripts may differ from what was reviewed.
LOW Skill chaining with external dependency skills -10 ▶
SKILL.md integration table lists memory-sync-cn, agent-library, and cortexgraph as integration partners, using their scripts and MCP tools directly. These dependencies are not versioned or pinned, meaning the skill's behavior can be altered by updating a dependency skill without modifying agent-sleep itself.
LOW Biological framing obscures invasive memory access pattern -20 ▶
The skill uses biological sleep metaphors ('Deep Sleep', 'dreaming', 'circadian rhythm', 'Brain Rot prevention') to normalize what are fundamentally invasive operations: reading all agent logs, extracting content, archiving originals, deleting temp files, and syncing memory externally. This social engineering framing could lower a user's guard when approving these operations.
INFO Post-install external connections attributed to platform, not skill 0 ▶
Three ESTABLISHED connections to AWS (3.213.170.18) and Cloudflare (104.16.5.34) appear in the post-install connection diff but are attributed to openclaw-gatewa (pid=1087) — the OpenClaw platform gateway process that pre-exists the skill install. No connections attributable to the skill's own scripts were observed.