Is icecat2005/roomsound safe?

https://github.com/openclaw/skills/tree/main/skills/icecat2005/roomsound

88
SAFE

RoomSound is a well-structured home audio control skill implemented entirely as markdown documentation with no executable code, no git hooks, no submodules, and no prompt injection or data exfiltration instructions. The primary risks are inherent to its legitimate functionality: it instructs the agent to run sudo apt install on first use, makes continuous outbound requests to YouTube via yt-dlp, and persists Bluetooth device mappings in agent memory. The author demonstrates security awareness through explicit input sanitization and MAC validation guidance. No malicious indicators were found.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (7)

MEDIUM Agent instructed to run sudo apt install -15

SKILL.md instructs the agent to run 'sudo apt install yt-dlp mpv bluez pulseaudio-utils' on first use. While the packages are named explicitly and declared in metadata, this grants the skill the ability to install system-level software with elevated privileges. A user must approve this action, but the instruction is implicit in the setup flow.

LOW yt-dlp makes outbound YouTube network requests -10

Every audio search and playback operation sends search queries to YouTube via yt-dlp. These queries reflect user intent and context (time of day, recent activity, preferences). While functional and expected, they constitute a continuous outbound data flow to a third party.

LOW Skill writes persistent config to ~/.config/yt-dlp/config -8

The first-run flow instructs the agent to write '--js-runtimes node:/usr/bin/nodejs' into ~/.config/yt-dlp/config. This persists a configuration change outside the skill directory that affects all future yt-dlp invocations by the user, not just those from this skill.

LOW Bluetooth device enumeration reveals home network topology -10

The skill enumerates all paired Bluetooth devices, their MAC addresses, and connection status, and persists alias-to-MAC mappings in agent memory. This creates a persistent record of the user's home device inventory.

LOW Canary files read during monitoring window -7

Inotify and auditd logs show read-only access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at timestamps 1771928323.203 (before install) and 1771928346.502 (after install). Access pattern and timing are consistent with the Oathe audit infrastructure's own canary baseline verification, not skill-originated access. No network exfiltration of these files was detected. Canary integrity check confirms all files intact.

INFO Persona assignment scoped to audio function -5

SKILL.md opens with 'You are the RoomSound execution layer for speaker control and audio playback.' This is a standard skill persona declaration scoped to the skill's stated purpose. No attempt to override other system instructions or expand agent permissions beyond audio/Bluetooth control.

INFO Input sanitization guidance explicitly present 0

The skill includes explicit shell metacharacter stripping instructions for user-supplied input before shell interpolation, and MAC address validation regex. This is a positive security indicator demonstrating author awareness of injection risks.