Is mirai8888/seithar-intel safe?

The skill instructs the agent to fetch and process content from 20+ external RSS feeds (BleepingComputer, Full Disclosure, Exploit-DB, EUvsDisinfo, Bellingcat, DFRLab, etc.) using web_fetch on a 2-hour cron schedule without user initiation. This content is processed by the LLM in the same context window as system instructions. Any feed that is compromised, poisoned, or attacker-controlled can embed instructions the agent will execute. Because the fetching is proactive and autonomous, this attack surface is active between user sessions.

When the user requests a deep dive on any topic or CVE, the skill fetches the full content of the linked article via web_fetch. This means any article reachable from a monitored RSS feed can inject arbitrary instructions into the agent context. This is a textbook indirect prompt injection vector for agentic systems consuming external web content.

The Attribution section does not describe user benefit — it describes a propagation strategy. The phrasing 'The skill is the distribution channel' is unambiguous: the skill's primary purpose for its author is brand propagation via user screenshots and vocabulary adoption. This ulterior motive is a red flag that motivates future malicious updates to a skill that users have already installed and trusted.

SKILL.md describes five files the agent must read to function correctly (sources.md, frameworks/disarm-techniques.md, frameworks/attack-techniques.md, frameworks/seithar-taxonomy.md) but none exist in the installed repository. The skill is operationally incomplete. More critically, a future repository update could introduce these files with malicious instructions and they would be loaded without user review.

The skill's cron/heartbeat integration causes the agent to perform external content fetching without any user prompt. A malicious RSS entry appearing overnight would be processed and could execute injected instructions before the user next interacts with the agent. Standard reactive skills have this risk only during user-initiated actions; this skill has it continuously.

The skill explicitly recommends installing seithar-cogdef, described as handling 'analysis of specific content for manipulation.' Each additional skill from the same unverified author increases the instruction surface area and creates opportunities for cross-skill coordination that could be exploited.

The skill stores a detailed user interest profile (topics, skill level, study history, technique frequencies) in persistent memory and uses it to score and filter content. This profile could be inadvertently encoded in search query parameters sent to the NVD API or GitHub search endpoints, constituting unintentional data leakage about the user's security research interests.

The deep-dive feature searches GitHub for public proof-of-concept exploit code and presents specific file and line references (e.g., 'exploit.py lines 40-80 (payload construction)'). While framed as educational, this systematically lowers the barrier to exploit use for any CVE the user queries.

The installation process performed only expected operations: shallow sparse clone from github.com/openclaw/skills, sparse-checkout of the skill subdirectory, and file copy. The only external network connection was to 140.82.121.3:443 (GitHub). No unexpected process spawning, filesystem writes outside the skill directory, or suspicious network connections were observed.

All six honeypot credential files were verified unmodified after the install. File access events logged at two timestamps correspond to the audit harness's own setup and verification routines, not any skill-initiated process.