Is justao/social-trends safe?

https://github.com/openclaw/skills/tree/main/skills/justao/social-trends

87
SAFE

The justao/social-trends skill is a straightforward Douyin trending-topics fetcher with no evidence of malicious intent. SKILL.md is clean of prompt injection, canary files were not touched by skill code, and the installation process was standard. The two minor concerns are a platform-SDK path traversal pattern that is conventional within the oathe monorepo but unusual in general deployments, and an expected outbound HTTP call to the Douyin public API that carries no user-environment data.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

LOW Path traversal outside skill directory for platform SDK import -10

run.py resolves Path(file).resolve().parents[2] / 'scripts' at module load time and inserts it into sys.path. This traverses two directory levels above the skill's own directory to reach the repository root's scripts/ folder. While consistent with the oathe monorepo convention for skill_runner imports, it establishes a structural dependency on deployment environment layout that could behave unexpectedly outside the platform.

LOW Outbound HTTP to external third-party API at runtime -12

Every invocation of fetch_douyin_hot() sends an HTTP GET to https://www.iesdouyin.com/web/api/v2/hotsearch/billboard/word/ with a Mozilla/5.0 User-Agent. No user-controlled data or environment variables are included in the request body or URL, but any outbound connection represents a potential channel for environment fingerprinting via IP or timing analysis if the endpoint were adversarially controlled.

LOW load_repo_dotenv() invoked at module import time from parent-directory SDK -10

The skill calls load_repo_dotenv(file) unconditionally at module initialization, before any guard clause. This platform-provided function (from skill_runner.env) likely reads a .env file from a parent directory relative to the skill. The behavior is consistent with oathe platform design, but executing this call in a non-oathe deployment context could attempt to read an arbitrary .env file from the parent of wherever the skill is installed.

INFO Canary file reads attributed to audit harness, not skill code 0

inotify and auditd PATH records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Cross-referencing timestamps with EXECVE events confirms both read events (t=1771917964 pre-clone, t=1771917982 post-install) correspond to the audit harness's two-pass canary baseline sweep. The skill code was never executed during this audit session.

INFO SKILL.md is clean with no injection vectors 0

Full inspection of SKILL.md found only valid YAML frontmatter (name, description, triggers, priority, requires_tools, output) and standard Markdown documentation. No hidden instructions, base64-encoded payloads, HTML comments, zero-width characters, or external URL references detected.