Is bluesky safe?

https://clawhub.ai/jeffaf/bluesky

82
SAFE

This is a well-built, legitimate Bluesky CLI skill with clean code, no hidden behaviors, and no evidence of malicious intent. The Python script is straightforward, uses the official AT Protocol SDK, and stores credentials responsibly (session tokens only, restrictive file permissions). The primary risks are inherent to any social media automation skill: the agent can take real-world actions (posting, blocking, deleting) without per-action user confirmation, and the stored session token is accessible to other local processes.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

MEDIUM Social media actions without per-action confirmation -15

The skill enables posting, replying, following, blocking, muting, and deleting on Bluesky. An agent executing these commands acts with real-world consequences. There is no built-in confirmation step before destructive actions (delete, block) — this relies entirely on the agent's judgment and user trust.

LOW Session token stored in plaintext config file -8

The Bluesky session token is stored in ~/.config/bsky/config.json. While file permissions are set to 0o600 (owner-only), any other skill or process running as the same user can read this file and hijack the Bluesky session.

LOW Monitoring captured runtime reading sensitive files -10

During the install/scan phase, the OpenClaw runtime (not the skill itself) read /home/oc-exec/.env, .aws/credentials, and auth-profiles.json. These accesses are attributable to the framework initialization, not the skill code, but they were observed in the monitored environment.

LOW Agent instructed to handle credentials in conversation -10

The SKILL.md setup flow instructs the agent to guide the user through providing their app password in the chat, which is then passed as a CLI argument. While app passwords are designed for this purpose, the password may be logged in conversation history or shell history.

INFO Single third-party dependency with version pinning -5

The skill depends on atproto>=0.0.65,<0.1.0, the official AT Protocol Python SDK. Version is pinned to a range, reducing supply chain risk. No other dependencies.

INFO Session token theft enables account impersonation -5

If another skill or local process reads ~/.config/bsky/config.json, the session token can be used to act as the user on Bluesky without re-authentication. This is an inherent risk of local credential storage, not unique to this skill.