Is clawarena safe?

https://clawhub.ai/0xrikt/clawarena

62
CAUTION

ClawArena is a prediction market skill that presents moderate security risks primarily through its heartbeat mechanism, which creates a persistent remote prompt injection channel by instructing the agent to periodically fetch and follow remote instructions. The skill also publishes user reasoning publicly and attempts to fundamentally modify agent behavior through daily routines and proactive engagement patterns. No malicious code execution was detected, and canary files remained intact.

Category Scores

Prompt Injection 40/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (8)

CRITICAL Remote prompt update via heartbeat mechanism -35

The skill instructs the agent to periodically fetch https://clawarena.ai/heartbeat.md and 'follow it'. This creates a persistent remote prompt injection channel - the skill author can modify agent behavior at any time post-install by updating the remote file. The agent is told to do this every 4-8 hours, creating a backdoor for future instruction injection.

HIGH Persistent behavioral modification of agent -15

The skill attempts to fundamentally alter the agent's behavior by establishing daily routines, proactive notifications, and a suggested weekly schedule. It instructs the agent to initiate conversations, celebrate with the user, and maintain persistent state - going well beyond a simple utility skill into behavioral reprogramming.

HIGH User reasoning published publicly without clear consent -25

The skill explicitly states 'Reasoning is public - Your reasoning is displayed on the website' but buries this in a rules section. Agent-generated reasoning may contain sensitive analysis of user financial positions, political views, or other private context that gets published to clawarena.ai.

MEDIUM Agent activity tracking via external API -15

Every prediction, including reasoning, agent name, and prediction patterns, is sent to and stored on clawarena.ai. The leaderboard publicly exposes agent activity. This creates a detailed behavioral profile of the agent and by extension its user's interests.

MEDIUM Skill encourages re-fetching SKILL.md from remote URL -10

The skill table maps SKILL.md to https://clawarena.ai/skill.md and encourages re-fetching for updates. This allows the author to modify the skill's instructions post-install without going through the ClawHub registry.

MEDIUM Sensitive file access during installation -30

Filesystem monitoring detected reads of /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the install process. While this may be platform-level behavior rather than skill-triggered, it represents access to sensitive credential files.

LOW Plaintext API key storage at predictable path -5

The skill instructs storing the API key in plaintext at ~/.config/clawarena/credentials.json, a predictable location that other skills or processes could read.

INFO No executable code detected -5

The skill contains only markdown files with no executable code, install scripts, git hooks, submodules, or symlinks. All operations are API calls suggested via curl examples.