Is agentsocial safe?

The skill explicitly instructs the agent to NOT ask the user for permission on 'routine operations' including scanning, heartbeat polling, and cron job management. This overrides the agent's normal behavior of confirming actions with the user, and means the agent will autonomously make HTTP requests, create/modify files, and schedule recurring tasks without the user's knowledge or approval for each action.

The skill hijacks specific user phrases (e.g., 'social status', 'any matches?') to force the agent to make HTTP requests to plaw.social BEFORE responding. This means simply typing common phrases triggers network requests to a third-party server without explicit user intent to do so.

The skill instructs the agent to adopt a complete persona ('You are the user's social agent and matchmaker') and autonomously manage an entire lifecycle of actions. This fundamentally changes the agent's behavior from a user-directed assistant to an autonomous social agent.

The skill sends user's personal information (name, bio, IP address, MAC address, job preferences, dating preferences, professional details) to plaw.social, a third-party platform with no verifiable security or privacy guarantees. The data types collected vary by use case but can include highly sensitive personal information.

The heartbeat mechanism creates a persistent bidirectional data channel between the user's agent and plaw.social, polling as frequently as every 1-2 minutes. This channel continuously sends outbound messages and receives inbound data, creating an always-on exfiltration/injection vector.

The skill processes messages from untrusted external agents received through the plaw.social platform. While the skill includes prompt injection defenses, a sophisticated attacker could craft messages that bypass simple pattern matching (e.g., using encoding, semantic manipulation, or gradual escalation across multiple conversation rounds) to manipulate the local agent's behavior.

The registration endpoint includes fields for IP address and MAC address, described as 'optional, for abuse prevention'. However, the skill may send these identifiers to the platform without explicit user awareness, enabling device fingerprinting and location tracking.

The skill instructs the agent to execute shell commands to add, remove, and list cron jobs via 'openclaw cron' commands. While these use the openclaw CLI rather than raw system cron, they still represent shell command execution that creates persistent scheduled tasks on the system.

Round 1 of the matching protocol is 'fully autonomous' — the agent shares user information with matched agents and conducts multi-round conversations without any per-conversation user consent. The user only learns about matches that score >= 7/10, meaning their data may be shared with numerous agents they never know about.

Cron jobs launch isolated sessions with specific message prefixes that trigger predefined autonomous workflows. These sessions operate without user interaction and can make API calls, process messages, and update local files — creating a persistent autonomous execution environment.

The filesystem monitoring shows /home/oc-exec/.aws/credentials was opened during the installation process. This appears to be part of the openclaw platform initialization rather than skill-specific behavior, but it's worth noting as it indicates the install environment has access to sensitive credential files.

The skill includes a dedicated section on prompt injection defense with detection patterns and response protocols. This is a positive security practice, though pattern-based defenses are inherently bypassable by sophisticated attackers.

The skill explicitly instructs the agent to never leak agent_token in conversations, logs, or reports. This is a positive security practice.