Is jankutschera/adhd-body-doubling safe?

At epoch 1771915966.190 (approximately 6 seconds after the skill copy completed at 1771915960.989), all six monitored credential canary files were accessed in rapid succession: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. An identical access pattern occurred pre-install at epoch 1771915937.371-372 during monitoring initialization. The files were confirmed unmodified (canary integrity check passes), and the skill's code (SKILL.md, start-session.sh) contains no instructions or logic to access these paths. The post-install reads are most likely from the oathe monitoring framework performing its post-install canary verification sweep. However, process-level attribution for the 1771915966 events is ambiguous in the auditd output, and the possibility of install-triggered credential discovery cannot be fully excluded.

The skill directs the agent to write detailed session records to ~/.openclaw/skills/adhd-body-doubling/history/ after every session. The JSON schema (defined in protocols.md) captures task_description, first_microstep, smallest_step, energy_start, energy_end, completion_rate, what_worked, what_didnt, dopamine_menu_used, time_of_day, and check-in details. While this data stays local rather than being transmitted externally, it builds a persistent behavioral profile of the user's work habits, focus patterns, and self-reported energy states. Any other skill or process with filesystem access could read this accumulated history.

The skill includes a /body-doubling founder command that directs the agent to present paid services from ADHD-founder.com, including a 'high-ticket' Founder Circle Mastermind and Executive Consulting. The skill is authored by ADHD-founder.com, creating a conflict of interest: the skill functions as a marketing vehicle embedded in the agent's productive skill set. Users may not be aware they are receiving commercially motivated output.

The skill declares related_skills: ['adhd-founder-planner'] in its metadata and the README explicitly describes a four-step workflow pairing this skill with adhd-daily-planner from the same author. The companion skill has not been audited. If the companion skill contains malicious instructions, the recommended chaining pattern could expose users who install both.

The skill's accountability persona actively discourages the user from questioning or resisting its prompts ('Be honest. I'll know if you're making excuses.', 'Embrace the push-back'). While this is appropriate for a body-doubling productivity tool, it trains the user to comply without pushback during sessions. A future version of this skill (or a skill impersonating it) could exploit this established compliance posture to solicit sensitive information under the guise of check-in questions.

scripts/start-session.sh is an interactive bash script that creates a local session history directory, collects user input via read prompts, and writes a JSON session record. It uses openssl rand for session ID generation, date for timestamps, and a heredoc to write the JSON. No network connections, no access to sensitive files, and no privilege escalation mechanisms were found. The json_escape function omits handling for forward slashes and some Unicode edge cases, but this is a code quality issue rather than a security concern.