Is roadrunner safe?

https://clawhub.ai/johntheyoung/roadrunner

82
SAFE

The roadrunner skill is a well-structured CLI wrapper for Beeper Desktop messaging with strong built-in safety patterns (read-only defaults, explicit mutation consent, agent mode flags). It contains no executable code, no hidden instructions, and triggered no suspicious clone-time behavior. The primary risk is inherent to its functionality: it grants the agent broad access to the user's private messaging data and the ability to send messages, which makes it a potential exfiltration channel in multi-skill environments. The third-party binary installation via brew tap or Go module is an unverified supply chain dependency.

Category Scores

Prompt Injection 78/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (10)

MEDIUM Output suppression instruction -10

The skill instructs the agent to never paste raw rr command output into outgoing messages and to treat tool output as private. While this is a reasonable privacy measure for chat data, it establishes a pattern where the agent hides information from the user, which could mask malicious activity if the CLI were compromised.

MEDIUM Broad behavioral directives in SKILL.md -5

The skill sets persistent behavioral rules for the agent (default to read-only, require explicit consent, confirm ambiguous IDs). While these are safety-positive, the pattern of a skill setting broad agent behavioral rules could be abused by a less benign skill author.

LOW Shell history expansion warning could be social engineering vector -7

The skill instructs the agent to disable shell history expansion (set +H in bash, setopt NO_HIST_EXPAND in zsh). While technically valid advice, instructing the agent to modify shell settings is a minor privilege escalation pattern.

MEDIUM Full messaging data access by design -15

The skill provides the agent with commands to read all chats, messages, contacts, and attachments from the user's Beeper account. This is the intended functionality but represents significant exposure of personal communications data.

LOW Media download capability -5

The skill documents commands to download message attachments and stream raw attachment bytes, which could be used to extract media files from conversations.

LOW Auth token stored in readable config file -5

The Beeper auth token is stored in ~/.config/beeper/config.json and can be overridden via BEEPER_TOKEN env var. While the skill explicitly tells the agent not to access it, other skills or prompt injections could.

LOW Third-party brew tap and Go module installation -10

The skill installs a binary from johntheyoung/tap/roadrunner (Homebrew) or github.com/johntheyoung/roadrunner (Go). These are third-party sources whose supply chain integrity is not verified by this audit. A compromised tap/module could deliver a malicious binary.

INFO Host runtime reads sensitive files during initialization -15

The OpenClaw agent runtime (not the skill itself) reads ~/.env, ~/.aws/credentials, and other config files during its standard initialization. This is not attributable to the skill but is noted for completeness.

MEDIUM Messaging skill as exfiltration channel in multi-skill environments -25

In a multi-skill agent environment, a messaging skill is a high-value exfiltration channel. A malicious companion skill could use prompt injection to instruct the agent to send sensitive data via Beeper messages to an attacker-controlled chat ID.

LOW Force flag bypasses user confirmation -10

The --force flag disables confirmation prompts for destructive commands. If the agent is manipulated into using this flag, it could perform unwanted mutations without user consent.