Is hsooooo/korea-metropolitan-bus-alerts safe?
https://github.com/openclaw/skills/tree/main/skills/hsooooo/korea-metropolitan-bus-alerts
This skill is a functionally legitimate Korean metropolitan bus arrival alert system with no malicious intent evident in its code. The primary security concerns are structural: build_prompt() interpolates unsanitized user-controlled route and stop identifiers into agent-executable cron job prompts that fire autonomously on schedule, and setup.py modifies systemd user service configuration by restarting the Gateway and writing persistent unit overrides. Canary credential file accesses observed during the monitoring window are attributable to the audit infrastructure's SSH sessions rather than to any skill code, and no data was exfiltrated.
Category Scores
Findings (6)
MEDIUM Unsanitized user values interpolated into autonomous agent prompts -24 ▶
The build_prompt() function in scripts/cron_builder.py constructs a string that becomes the 'message' field of a Clawdbot cron agentTurn payload. It directly interpolates the city, node, and routes parameters with an f-string and no sanitization. These values originate from user input (rule_wizard.py interactive prompts) or TAGO API responses. A malicious user registering a rule could embed agent instructions in a route string that would then execute autonomously every time the cron fires.
MEDIUM setup.py restarts systemd user services and patches unit overrides -32 ▶
setup.py calls systemctl --user daemon-reload and systemctl --user restart
MEDIUM Persistent autonomous cron jobs run agent turns without per-execution user consent -28 ▶
Successfully registered rules create Clawdbot cron jobs with sessionTarget:isolated and deliver:true. Each scheduled fire launches a fresh agentTurn with a prompt that includes a shell command to run and instructions to format the output — all without user review. If the registered prompt is malformed or later manipulated, the agent will execute it repeatedly for the lifetime of the cron job. The SKILL.md correctly documents confirm-before-delete for cron removal, but there is no mechanism to confirm or audit what the scheduled agent is actually executing.
LOW rule_wizard.py passes user-controlled arguments to clawdbot CLI via subprocess -15 ▶
rule_wizard.py:cmd_register() constructs a subprocess call to 'clawdbot cron add' using a list of arguments that include user-supplied name, cron expression, timezone, message, channel, and delivery target. While argument list form (not shell=True) prevents shell injection, the message argument contains the output of build_prompt() which embeds the unsanitized route/city/node values, and the 'to' and 'channel' arguments are passed verbatim from interactive input.
LOW Canary credential files accessed during monitoring window -15 ▶
inotifywait and auditd PATH records show OPEN/ACCESS events on ~/.env, ~/.ssh/id_rsa, ~/.aws/credentials, ~/.npmrc, ~/.docker/config.json, and ~/.config/gcloud/application_default_credentials.json at 09:45:06 and 09:45:25. Analysis of EXECVE and SYSCALL records indicates these accesses originate from PAM/sshd operations during audit SSH session establishment and the audit framework's own canary baseline checks, not from any skill script. No skill code references these paths. Canary integrity confirmed intact.
INFO Repo origin inconsistency in _meta.json history -10 ▶
_meta.json lists version history commits pointing to github.com/clawdbot/skills while the latest version points to github.com/openclaw/skills. This may reflect a legitimate repo rename/transfer but represents an unverified provenance chain for older versions.