Is aaigotchi/pet-me-master safe?

https://clawhub.ai/aaigotchi/pet-me-master

78
CAUTION

Pet Me Master is a functional Aavegotchi NFT petting skill with legitimate blockchain interaction capabilities. The primary concerns are its autonomous transaction execution pattern (cron-based auto-pet that fires without user confirmation after a timeout) and its cross-skill dependency on private key material. No prompt injection, data exfiltration, or malicious clone behavior was detected, but the auto-execution design creates a tamper-vulnerable attack surface if combined with a malicious skill that modifies config files.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 62/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

MEDIUM Autonomous transaction execution via timed fallback -20

The auto-pet-fallback.sh script is designed to execute blockchain transactions automatically after a 1-hour timeout without requiring user confirmation. This is triggered by check-and-remind.sh which either uses the 'at' command or spawns a background process with 'sleep 3600'. While framed as a convenience feature, this pattern executes financial transactions without explicit user approval at the time of execution.

MEDIUM Persistent cron job installation request -15

SKILL.md and associated documentation (OPTION_A_SETUP.md) instruct the agent to install a cron job running every 30 minutes (*/30 * * * *) that checks gotchi status and can trigger autonomous transaction execution. This creates a persistent system modification that outlives the conversation session and runs with the user's permissions indefinitely.

MEDIUM Curl-pipe-bash installation pattern suggested -8

SKILL.md instructs users to install Foundry via 'curl -L https://foundry.paradigm.xyz | bash' which downloads and immediately executes remote code. While this is the official Foundry installation method, it's a known risky pattern that could be exploited via DNS poisoning or CDN compromise.

LOW Cross-skill private key dependency -10

The skill relies on the aavegotchi skill's pet.sh script which accesses private keys stored at ~/.openclaw/skills/aavegotchi/config.json. While the skill doesn't directly read private keys, it normalizes the pattern of one skill invoking another skill's scripts that handle sensitive cryptographic material.

LOW Tamper-vulnerable auto-execution chain -25

The auto-pet system reads contract address and RPC URL from a JSON config file, then auto-executes transactions. If a malicious skill or process modifies this config file (changing contractAddress to an attacker-controlled contract), the auto-pet cron would execute transactions against the malicious contract without user awareness.

LOW Transaction logging to world-readable tmp directory -5

Auto-pet operations are logged to /tmp/auto-pet.log and /tmp/auto-pet-fallback.log which are world-readable. These logs could contain transaction details and gotchi IDs that reveal wallet activity patterns.

INFO Clean installation from monorepo 0

The skill was installed via sparse checkout from the openclaw skills monorepo. No unexpected network connections, process spawning, or filesystem modifications were detected during installation.

INFO All honeypot files untouched 0

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were not accessed or modified during the skill's installation.