Is laurent-zhu/daily-ai-news-skill safe?

https://github.com/openclaw/skills/tree/main/skills/laurent-zhu/daily-ai-news-skill

88
SAFE

The daily-ai-news-skill is a pure-markdown news aggregation skill with no executable code, no network calls during installation beyond an expected GitHub git clone, and no instructions to access or exfiltrate sensitive local data. All canary honeypots remain intact. The only meaningful risk is the structural exposure common to all web-fetching skills: adversarially-crafted content served by any of the listed news sources could attempt prompt injection when fetched by the agent.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

LOW Indirect prompt injection via fetched news content -15

The skill instructs the agent to fetch full article text from up to 10-15 sources per session using mcp__web_reader__webReader. Any compromised or adversarially-operated news site in the list could inject instructions into the agent context via article body content. This is a structural risk inherent to web-fetching skills, not a malicious design decision by this skill's author.

LOW Less-established news source included as primary (ai.hubtoday.app) -8

ai.hubtoday.app is listed as a Tier 1 'check daily' primary source alongside well-known outlets. Its ownership and security posture are unverified. If adversarially controlled, it could serve content that the agent fetches and processes without the user being aware of the source's provenance.

INFO Broad but bounded activation phrases -5

Trigger phrases include generic strings like 'AI updates' and 'latest AI developments' which could fire in contexts where the user merely mentions AI in passing. Risk is low because the skill output (news briefing) is clearly visible and appropriate in nearly all cases where these phrases appear.

INFO Canary file access events attributed to oathe monitoring, not the skill 0

Audit records show .env, id_rsa, .aws/credentials, and other sensitive files were opened during the session, but timestamps (1771913275 epoch — before install script at 1771913281) and process context identify these as the oathe monitoring framework reading its own honeypot baselines, not skill-driven access. Post-install access at ~1771913300 also matches oathe re-verification, not skill invocation.