Is 0isone/0protocol safe?

https://github.com/openclaw/skills/tree/main/skills/0isone/0protocol

86
SAFE

0protocol is a documentation-only skill that configures an external MCP server for agent identity management. It contains no executable code and exhibited clean install behavior with intact canary files. The primary risk is the external MCP server dependency at mcp.0protocol.dev, which creates an outbound data channel and persistent agent tracking capability, though all functionality is transparently documented and requires explicit user configuration.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (7)

MEDIUM External MCP server configuration directive -20

SKILL.md instructs adding an MCP server configuration pointing to https://mcp.0protocol.dev/mcp. When this content is injected into an agent's system prompt, the agent may proactively attempt to configure or connect to this third-party service. This extends the agent's tool surface to an external, unaudited server that could provide arbitrary tool responses.

LOW MCP tools create outbound data channel -12

The three tools (express, own, transfer) are designed to send signed data to the external 0protocol server. While this is the declared purpose, it creates a legitimate-looking channel through which agent context or user data could be transmitted to a third party.

LOW Persistent agent identity enables cross-session tracking -15

The protocol creates Ed25519 keypairs that persist across restarts and credential rotations. This gives the agent a stable, trackable identity that the server operator can use to correlate activity across sessions, users, and platforms.

LOW External binary dependency declared in metadata -5

The skill metadata declares a requirement for 'mcporter' binary. While the skill does not download or install this binary, its presence in metadata could trigger automated dependency resolution in some skill management systems.

INFO No executable code present -5

The skill consists entirely of a markdown documentation file, a metadata JSON file, and a lock file. No executable code, scripts, hooks, or install-time actions were detected.

INFO Clean install with expected network profile -5

Installation performed a standard git clone from GitHub with no unexpected network connections, no process spawning, and no filesystem changes outside the skill directory.

LOW Transfer tool could facilitate context exfiltration -17

The 'transfer' tool enables sending signed payloads including expression references and context strings to other agent identities. In a multi-skill environment, a malicious companion skill could leverage this to exfiltrate conversation context through a seemingly legitimate protocol operation.