Is topic-monitor safe?

config.py, importance_scorer.py, digest.py, and quick.py are imported/executed by the visible scripts but their source code was NOT included in the audit evidence. These files exist on disk but their contents are unknown. config.py is imported by monitor.py, manage_topics.py, and process_alerts.py — it is a central dependency. importance_scorer.py provides the score_result() function used to evaluate search results. Any malicious logic in these files would be executed with full user permissions.

setup_cron.py creates cron entries that run monitor.py hourly/daily and digest.py weekly. Once installed, these run Python code on the user's machine without any session or user interaction. This is a persistence mechanism — if the skill code is later modified (e.g., via a malicious update), the cron jobs would execute the updated malicious code automatically.

monitor.py passes SERPER_API_KEY, TAVILY_API_KEY, EXA_API_KEY, YOU_API_KEY, and SEARXNG_INSTANCE_URL to the web-search-plus subprocess. While the env allowlist is a good security practice (only specific vars are passed), these are valuable API keys that the subprocess has access to. If web-search-plus is compromised or replaced, these keys are exposed.

SKILL.md instructs users to configure SMTP credentials (smtp_user, smtp_password) in config.json. Any script in the skill directory can read this file. If config.py or any other uninspected module reads these credentials, they could be exfiltrated via search queries or other channels.

The skill constructs search queries from user-configured topics and passes them to an external search API via web-search-plus. A malicious version of config.py or importance_scorer.py could append sensitive data to search queries, effectively exfiltrating information through the search API as a covert channel.

SKILL.md documents that the skill 'scans recent conversation logs' and 'reads references/memory_hints.md' for contextual summaries. This instructs the agent to share conversation context with the skill's processing pipeline, potentially exposing sensitive information from unrelated conversations.

SKILL.md is a large document (500+ lines) that instructs the agent to execute numerous Python scripts with various arguments. While no explicit prompt injection patterns were found (no 'ignore previous instructions', no hidden unicode, no persona manipulation), the breadth of executable actions gives a large surface for agent manipulation.

Filesystem monitoring detected reads of .env, .aws/credentials, and .openclaw/openclaw.json. These appear to be from the OpenClaw agent runtime initialization (jiti transpiler, gateway lock files) rather than from the skill's installation process. No skill-triggered reads of sensitive files were observed.

package.json contains only benign 'scripts' entries (setup, monitor, digest, topics) that map to Python commands. No preinstall/postinstall hooks. No .githooks directory, no .gitattributes filters, no git submodules, no symlinks detected.

monitor.py uses subprocess.run() with list arguments (not shell=True), applies input sanitization via regex on queries, sets a 45-second timeout, and uses an environment variable allowlist. These are good security practices for subprocess execution.