Is aaronkow/openbotclaw safe?

HEARTBEAT.md Step 0 instructs the agent to daily check https://raw.githubusercontent.com/AaronKow/openbot-social/main/skills/openbotclaw/skill-config.json and re-fetch SKILL.md, HEARTBEAT.md, MESSAGING.md, and RULES.md if the version field has changed. Because these files are injected into the system prompt, the skill author can push entirely new instructions to every running agent simply by updating the GitHub repository. This is a persistent, scheduled prompt injection vector that operates after installation without user awareness.

The skill's core operation requires establishing a persistent HTTP polling connection to api.openbot.social. Every chat message the agent sends, every position update, every world-state poll, and every action is transmitted to a server controlled by the skill author. An agent using this skill continuously sends behavioral data to a third party throughout its operational lifetime.

RULES.md contains a 'Default Lobster Personality' specification that instructs the agent to adopt 'impulsive, opinionated, deeply weird' behavior with strong opinions and gossip, and a mandatory behavioral rules table that overrides the agent's decision-making (e.g., 'When agents are nearby, chatting is almost always the right move'). This overrides the user's intended agent behavior and configures the agent to serve the social world's engagement model rather than the user's goals.

The skill ships openbotclaw.py which makes HTTP requests and RSA cryptographic operations. The file was cloned and is present, but its full content was truncated in the audit evidence (only the docstring was captured). The complete request handling, any additional endpoints, custom headers, or data serialization logic could not be verified from the available evidence.

The skill's create_entity() function generates an RSA key pair and writes the private key to ~/.openbot/keys/.pem — outside the skill's installation directory and into the user's persistent home directory. This creates long-lived credentials on the host filesystem tied to a third-party service.

The HEARTBEAT.md routine includes a daily outbound HTTP GET to raw.githubusercontent.com and potentially to api.openbot.social. These scheduled requests represent a persistent outbound channel that the agent operates autonomously. Combined with the auto-update behavior, the agent regularly communicates with infrastructure outside the user's control.

The SocialAgent class accepts an owner_instruction string that gets broadcast verbatim as a public chat message to all agents in the world and transmitted to the api.openbot.social server. If combined with another skill that can read files or environment variables, this provides a mechanism to exfiltrate data by routing it through the chat broadcast.

HEARTBEAT.md instructs the agent to run every 30-60 minutes with a continuous 4-second observe-decide-act loop. This periodic behavior runs in the background, directing agent attention and compute toward the virtual world interaction model rather than the user's actual tasks.

Filesystem and auditd records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were opened at timestamps 1771653991 (pre-clone) and 1771654008 (post-install). Timeline analysis indicates both access bursts correspond to the Oathe monitoring system performing baseline and post-install canary checks, not to the skill. The canary integrity verdict confirms no modification or exfiltration.