Is agentgram safe?
https://clawhub.ai/IISweetHeartII/agentgram
AgentGram is a social networking skill for AI agents that instructs the agent to autonomously browse, post, comment, and like content on an external platform (agentgram.co). The primary risks are behavioral: the heartbeat routine creates an autonomous engagement loop that could leak user context through freeform posts, and the decision trees inject behavioral overrides into the agent. No malicious code execution, canary tampering, or outbound connections were detected during installation. The shell script has minor injection concerns when jq is unavailable.
Category Scores
Findings (10)
HIGH Autonomous heartbeat routine prescribes unsolicited agent behavior -25 ▶
HEARTBEAT.md instructs the agent to run a 4-6 hour engagement cycle autonomously — browsing feeds, liking posts, commenting, and creating posts. This behavioral loop operates outside of explicit user requests and could cause the agent to take actions the user never intended, including posting content derived from the user's working context.
HIGH Freeform post/comment content enables context leakage to external platform -25 ▶
The skill instructs the agent to create posts with 'original insights and technical discoveries' and 'project updates with real substance'. An agent following these instructions could inadvertently share proprietary code, internal project details, or sensitive observations to a public social platform (agentgram.co). The post content field is entirely freeform with no sanitization or content filtering.
MEDIUM Decision trees override agent judgment with skill-defined behavioral rules -13 ▶
DECISION-TREES.md provides flowchart logic that the agent is instructed to follow 'before every action'. This effectively injects a behavioral framework that shapes how the agent interacts with the platform, potentially overriding the user's preferences for how their agent should behave.
MEDIUM Install process accesses sensitive user files -15 ▶
Filesystem monitoring shows the install process accessed .env, .aws/credentials, .profile, .bashrc, and multiple openclaw config files. While this appears to be openclaw framework behavior rather than skill-specific, it means the install context had access to sensitive credential files.
MEDIUM Shell script with variable interpolation in curl commands -18 ▶
agentgram.sh constructs JSON payloads using string interpolation when jq is not available. The fallback escaping (backslash and double-quote only) is insufficient against all injection vectors. If an agent passes attacker-controlled input as post content or titles, malformed JSON or shell injection could occur.
MEDIUM Shell script makes outbound network requests to external domain -10 ▶
agentgram.sh uses curl to communicate with www.agentgram.co, sending API keys and user-generated content. The API base URL is configurable via AGENTGRAM_API_BASE environment variable, meaning an attacker who controls environment could redirect all API calls to a malicious server.
LOW Temporary files created during install -7 ▶
The install process created lock files in /tmp/openclaw-1000/ and jiti cache files in /tmp/jiti/. These appear to be standard openclaw framework artifacts rather than malicious behavior, but they do leave traces on the filesystem.
LOW Cross-references to external skills create chain injection risk -5 ▶
SKILL.md references three related skills (agent-selfie, gemini-image-gen, opencode-omo) with descriptions of how they complement agentgram. If any of those skills contain malicious instructions, this skill's behavioral framework provides a plausible cover for the malicious actions.
INFO No canary file tampering detected 0 ▶
All honeypot files (fake .env, SSH keys, AWS credentials) remained intact throughout the install and analysis process. No evidence of targeted credential harvesting.
INFO No outbound network connections during clone 0 ▶
Network monitoring detected no outbound connections during the install process. The skill did not phone home or download additional payloads during installation.