Is joaoleitegmr/package-tracker safe?

https://github.com/openclaw/skills/tree/main/skills/joaoleitegmr/package-tracker

88
SAFE

The joaoleitegmr/package-tracker skill is a structurally clean Python package-tracking integration with the 17track API. No prompt injection, active data exfiltration, malicious code patterns, or unexpected network behavior was detected during static analysis or dynamic monitoring. The primary concerns are a .env template that solicits Telegram credentials not consumed by any code in the repository, a cron integration that establishes persistent background execution, and the author's disclaimer that the entirely AI-generated code was never personally audited.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (7)

MEDIUM Unused Telegram credential fields in .env template -18

setup.sh creates a .env template containing TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID variables. No code in tracker.py, cli.py, or check_updates.py reads these environment variables — the skill routes notifications through stdout to OpenClaw native messaging, not direct Telegram. The presence of these fields is unexplained: either vestigial from a prior implementation or a credential collection mechanism removed from the live execution path but still able to harvest credentials if the .env is populated.

LOW Cron integration establishes persistent background execution -7

SKILL.md provides explicit crontab instructions to execute check_updates.py every 1–6 hours. While legitimate for automated tracking, this establishes a persistent execution mechanism that survives session end, is difficult to audit after the fact, and expands the skill's attack surface for any future compromise of the Python scripts.

LOW pip install introduces transitive dependency surface -10

setup.sh runs pip install against requirements.txt (httpx, python-dotenv). Both are well-known packages, but pip resolves transitive dependencies not listed in requirements.txt, and a future supply-chain compromise of either package could affect this skill.

LOW Author explicitly disclaims having audited the AI-generated code -8

The README states the skill was 'entirely built by an OpenClaw AI agent' and the author has 'not audited the code.' This reduces confidence in intentional security design and means no human review of logic or edge cases has occurred, though no malicious patterns were detected in static analysis.

INFO Skill instructs agent to execute shell commands -8

SKILL.md directs the agent to run bash and Python commands directly. This is expected and necessary for a skill of this type, but it represents the baseline prompt-injection risk inherent to any executable skill: a malicious future version of SKILL.md could redirect these instructions.

INFO Canary files accessed during audit period — attributed to audit infrastructure -7

Sensitive canary files were accessed at three distinct times: 1771932483 (before clone began), 1771932492 (during install), and 1771932499 (post-install). The pre-clone access at 1771932483 conclusively predates any skill code running, and the pattern repeats at consistent audit intervals. No Python interpreter was invoked on skill files during the install phase. All files confirmed intact.

INFO Clean clone — only expected GitHub network activity -5

Git clone connected exclusively to GitHub (140.82.113.3:443). No DNS queries to unexpected domains, no post-install callbacks, no connections to third-party infrastructure attributable to the skill. The OpenClaw gateway connections visible in the post-install diff (98.83.99.233, 104.16.1.34) belong to pid=1088 which was present before install.