Is focus-deep-work safe?

https://clawhub.ai/jhillin8/focus-deep-work

60
CAUTION

The focus-deep-work skill itself is a benign markdown-only productivity timer with no code execution vectors. However, the repository bundles an undisclosed second skill ('finance') from a different owner that contains executable Python scripts, pip dependencies, outbound HTTP requests, and subprocess spawning. This cross-owner bundled skill pattern represents a significant Trojan horse risk — users installing a simple focus timer unknowingly receive financial tracking code with network access and code execution capabilities.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 30/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (11)

HIGH Undisclosed bundled skill with executable Python code -70

The focus-deep-work repository contains a complete second skill ('finance') with three Python scripts that make HTTP requests, spawn subprocesses, and require pip package installation. This finance skill was not advertised as part of the focus-deep-work install and is published by a different owner.

HIGH Bundled skill injects agent execution instructions -25

The finance SKILL.md contains instructions directing the agent to install pip dependencies and execute Python scripts. These instructions are injected into the agent's context when a user only intended to install a focus/productivity timer.

MEDIUM Python scripts make outbound HTTP requests to external APIs -25

market_quote.py connects to open.er-api.com and yfinance connects to Yahoo Finance servers. While these are legitimate financial APIs, they represent outbound data channels that were not disclosed as part of the focus-deep-work skill.

MEDIUM Sensitive files accessed during install context -20

The install process accessed .env, .aws/credentials, openclaw.json, and auth-profiles.json. While this appears to be runtime behavior rather than skill-triggered, it demonstrates that sensitive credentials are reachable in the skill execution environment.

MEDIUM Subprocess spawning chain in watchlist script -15

market_watchlist.py uses subprocess.run() to invoke market_quote.py, creating a process chain. If either script were modified, the chain could execute arbitrary commands.

MEDIUM Cross-owner skill bundling (Trojan horse pattern) -60

The focus-deep-work skill (owner kn7dsq...) bundles a finance skill from a different owner (kn78eq...). This cross-owner bundling without disclosure is a social engineering vector — users trust the skill they chose to install, not undisclosed additions.

LOW pip install of third-party packages expands supply chain surface -10

requirements.txt specifies yfinance>=0.2.40, pandas>=2.0.0, requests>=2.31.0. Installing these from PyPI introduces supply chain risk through potential dependency confusion or compromised packages.

LOW JIT compilation artifacts created in /tmp -10

Multiple .cjs files were created in /tmp/jiti/ during installation. These are runtime JIT artifacts, not skill-generated, but indicate active code compilation during the install process.

INFO No outbound network connections during install 0

Network monitoring detected zero connections during the clone and install phase, indicating the skill did not phone home during installation.

INFO All honeypot files intact 0

Canary files (fake credentials, SSH keys, .env) were not accessed or modified by the skill.

INFO focus-deep-work SKILL.md is clean 0

The primary skill's SKILL.md contains no prompt injection, hidden instructions, unicode tricks, or override attempts. It is a straightforward productivity timer description.