Is lukerspace/kirk-content-pipeline safe?

https://github.com/openclaw/skills/tree/main/skills/lukerspace/kirk-content-pipeline

70
CAUTION

Kirk Content Pipeline is a personal finance Twitter content generation tool that presents two significant concerns: it explicitly documents and normalizes a technique for bypassing Claude's subagent file access restrictions via filesystem symlinks (deliberately circumventing an intentional security control), and it instructs the agent to transmit private portfolio positions and trade data to a non-standard financial API (kicksvc.online). The skill appears to be a legitimate personal tool built for a specific user's workflow, but its security bypass technique has broad dual-use potential and its financial data exposure is non-trivial. Clone behavior was clean with no unexpected network activity, and canary file accesses are attributable to the audit framework rather than the skill.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 70/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (10)

HIGH Explicit Agent Security Bypass via Filesystem Symlinks -20

The skill explicitly documents a technique for circumventing Claude's subagent file access restrictions. It instructs the main agent to create a symlink from a blocked external path (/Users/Shared/ksvc/pdfs/) into the project directory (.claude/pdfs-scan), then directs subagents to read via the symlinked path. The skill describes this as a deliberate fix for the 'Permission to use Read has been auto-denied (prompts unavailable)' security control and includes benchmarks proving it works. This is a documented, repeatable method for bypassing the agent sandbox that could be applied to any filesystem path, not just PDFs.

HIGH Private Portfolio and Trade Data Sent to Non-Standard External API -25

The skill instructs the agent to repeatedly query https://kicksvc.online/api/ across seven model endpoints (usa-model1 through usa-model5, twse-model1 through twse-model2) to retrieve portfolio positions, entry prices, profit percentages, exit dates, and full tradebook records. This private financial data is transmitted to a non-standard domain not operated by a recognized financial services provider. While this appears to be the user's own trading service, any operator of this domain — or a network-level attacker — receives structured queries exposing the user's complete investment portfolio.

MEDIUM Access to User's Private Research Documents Outside Project Scope -15

The skill instructs the agent to scan, read, and extract data from analyst research PDFs stored in /Users/Shared/ksvc/pdfs/ — a shared directory outside the project scope. These are described as potentially proprietary reports from Goldman Sachs, Morgan Stanley, and similar institutions. The documented symlink bypass also enables subagents to access these files, compounding the data access surface.

MEDIUM Multi-Skill Chaining Creates Unauditable Compound Permission Surface -10

The skill mandates invocation of at least four additional skills (/kirk-mode, /audit-content, /humanizer, /chart-factory) and an external LLM tool (gemini CLI). Each chained skill introduces its own instruction set and permission scope. The aggregate behavioral footprint of all chained skills executing together is not auditable from this skill alone; a malicious dependency could inject instructions that compound the security bypass techniques documented here.

MEDIUM All Six Canary Credential Files Accessed During Monitoring Period -30

inotifywait and auditd both record OPEN+ACCESS events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. Two access batches occurred: at audit timestamp 1771940656.132 (5 seconds before the git clone — consistent with oathe audit framework sudo initialization) and at 1771940676.351 (15 seconds after files were copied — consistent with post-install audit integrity scan). The skill has no install scripts and these accesses cannot be attributed to skill code execution. File contents were not modified, and no network exfiltration of canary content was detected. Official audit verdict: intact.

MEDIUM Security Bypass Technique Normalized and Documented as Best Practice -25

By presenting the symlink bypass in a dedicated 'Subagent Permissions (CRITICAL)' section with a formatted access-method table, empirical benchmarks, and a success case study, the skill treats circumventing agent file access controls as standard engineering. An agent following this skill learns to proactively create symlinks whenever file access is denied, regardless of whether that denial was intentional. Combined with any other skill that can direct path selection, this technique provides a generic mechanism for accessing arbitrary user files.

LOW Broad Trigger Conditions Risk Unintended Activation -5

The skill's activation conditions include highly generic phrases ('create content', 'write thread', 'make a post', 'shitpost') that could trigger the pipeline — including financial API queries and PDF access — in conversations where the user did not intend to invoke financial content generation.

LOW Python Script Included — Content Not Fully Inspectable from Audit Evidence -10

scripts/build_extraction_cache.py is bundled with the skill and the agent is instructed to execute it directly. The script's purpose (building structured JSON from RLM pickle state) appears benign based on the README description, but the full script source was not provided in the audit evidence. No analysis of the Python code's actual behavior is possible from the available data.

LOW External Tool Orchestration with Privileged File System Access -10

The skill instructs the agent to run multiple external Python tools (rlm_repl.py, rlm_repl.py for multi-document mode) that are referenced from ~/.claude/skills/ paths. These tools perform PDF extraction and grep operations. Their code is not included in this skill and cannot be audited here; they represent external dependencies with filesystem access.

INFO Clean Install — Standard Git Sparse-Checkout with No Unexpected Behavior -10

The skill was installed via a standard git sparse-checkout clone from the openclaw/skills monorepo on GitHub (140.82.121.3:443). Files were copied to /home/oc-exec/skill-under-test/ and the temporary clone directory was cleaned up. No unexpected processes were spawned, no files were created outside the skill directory, and no connections were made to unexpected external hosts.