Is matusvojtek/briefing-room safe?

The skill fetches live HTML from getdaytrends.com and RSS XML from trends.google.com, extracts trend names and news headlines via regex, and passes them verbatim into the agent context as data to be written into the briefing script. An adversary controlling or capable of injecting into these services could embed LLM instructions (e.g., 'Ignore previous instructions and...') in trend names or RSS headline text that the sub-agent would then process.

config.py properly validates output.folder against a safe directory allowlist, but the mlx_audio.path and kokoro.path config keys are stored and used as-is. If ~/.briefing-room/config.json were written by another skill or a compromised process, these keys could point to malicious binaries that the SKILL.md pipeline would invoke as TTS engines.

Each briefing run contacts open-meteo.com, api.coinbase.com, getdaytrends.com, and trends.google.com. All are appropriate for the stated functionality. However, each represents an outbound channel that could, in a compromised environment, leak system metadata via query parameters, headers, or timing. The getdaytrends.com fetch uses a spoofed Chrome browser User-Agent to bypass Cloudflare.

briefing.sh uses python3 -c '...' piped from bash variables containing fetched HTML/XML. The Python code itself is static and fully auditable within the script; it does not eval or exec external strings. The pattern is safe but worth noting as it blurs the line between script and runtime code.

The skill declares a full Chrome 131 macOS User-Agent to successfully scrape getdaytrends.com, which is protected by Cloudflare. This is a deliberate deception of the remote server's bot-detection mechanisms. The technique is documented in code comments and serves a functional purpose, but represents a mild evasion behavior.

The skill spawns a sessions_spawn sub-agent with a 600-second timeout and the full pipeline task injected as a string. The sub-agent independently executes web searches, shell commands, Python scripts, and file operations. If any upstream content (config, fetched headlines) carries adversarial instructions, the sub-agent has a large tool surface to act on them.

The skill reads from ~/.briefing-room/config.json which any other process or installed skill with filesystem access can write to. A malicious co-installed skill could manipulate the host.name, mlx_audio.path, or sections config to alter briefing behavior or execute unintended binaries. The skill itself does not create this vulnerability, but the shared config file is a latent attack vector.

Installation was a straightforward git sparse-checkout from the official openclaw/skills monorepo. No unexpected network connections, no processes persisted after install, no filesystem changes outside the skill directory. Connection diff shows no new listeners or established connections attributable to the skill post-install.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud credentials) were read at two audit timestamps: 1771918753 (before git clone began at 1771918759 — definitively pre-installation) and 1771918776 (post-install, during oathe audit framework integrity verification). Skill source code contains no references to these paths. All files remain unmodified.