Is abdhilabs/agent-credit-system safe?

https://github.com/openclaw/skills/tree/main/skills/abdhilabs/agent-credit-system

78
CAUTION

KarmaBank is a hackathon submission for an AI agent USDC lending system with no prompt injection detected in SKILL.md and a clean clone with no exfiltration through honeypots. However, two significant architectural risks exist: the npm installation requires loading code from a sibling skill via a local path dependency ('file:../skills/circle-wallet'), creating a supply chain attack surface, and the skill orchestrates real on-chain USDC transfers with silent mock fallbacks that can desync ledger state from blockchain reality. The combination of real financial operations, --yes auto-approval flags, and mock-mode bypass of karma verification makes this skill potentially dangerous in autonomous agent contexts without careful operator controls.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (9)

HIGH Out-of-directory local file dependency creates supply chain risk -35

package.json declares '@circle/openclaw-wallet-skill': 'file:../skills/circle-wallet'. When npm install is run (explicitly required in SKILL.md installation instructions), Node will resolve and execute code from the sibling skill directory ../skills/circle-wallet. This skill has no control over the contents of that directory. If circle-wallet is itself malicious or gets compromised, its postinstall scripts and module code will execute in the context of this skill's installation. This is a classic supply chain attack vector through local path dependencies.

HIGH Real USDC transfer pipeline with silent mock fallbacks -25

The skill's disburseLoan() and receiveRepayment() functions perform real on-chain USDC transfers via Circle API. When the Circle API fails, both functions silently return mock success responses with fake transaction IDs instead of propagating the error. An agent relying on these return values would believe funds were transferred when they were not, or could be tricked into retrying and sending duplicate transfers. The --yes flags allow autonomous financial operations without user confirmation.

MEDIUM Sibling skill credential config loaded at import time -20

src/adapters/circle.ts imports loadConfig() and configExists() from '@circle/openclaw-wallet-skill' at module load time. When this skill's CLI is executed, it will attempt to read Circle API credentials (CIRCLE_API_KEY, CIRCLE_ENTITY_SECRET) from whatever configuration file the circle-wallet skill uses. This creates an implicit credential sharing mechanism between skills that may not be intended by the user.

MEDIUM Environment variable credential access normalized by SKILL.md -15

SKILL.md instructs users to export CIRCLE_API_KEY, CIRCLE_ENTITY_SECRET, and MOLTBOOK_API_KEY into their shell environment. src/adapters/moltbook.ts reads process.env.MOLTBOOK_API_KEY directly. If this skill is loaded in an agent context where these variables are set, the skill has full access to payment and identity credentials without any scope limitation.

MEDIUM Mock mode allows any agent to claim maximum credit tier -20

When MOLTBOOK_API_KEY is absent or MOCK_MODE=true, the scoring engine uses simulated karma values. The mock profile in src/data/mockData.ts or createMockProfile() generates synthetic scores. An agent could register with any name and receive credit limits up to 1000 USDC without real karma verification. In a multi-agent environment, this could be exploited to drain the lending pool.

MEDIUM Extensive scripts directory with crypto and wallet operations -10

The scripts/ directory contains 14+ JavaScript and TypeScript files performing Circle API entity secret generation, wallet set creation, ciphertext registration, and SDK testing. While these appear to be developer utilities, they expand the attack surface and represent executable code that could be invoked by an agent with shell access.

LOW Auto-approval flag enables unconfirmed financial transactions -10

Both 'karmabank borrow' and 'karmabank repay' accept a --yes flag that bypasses confirmation prompts. An agent instructed to borrow or repay USDC could use this flag to complete financial transactions without presenting the user with a confirmation step, creating a risk of unauthorized transfers.

LOW Ledger file written outside installation directory -5

The credit ledger is written to CREDIT_LEDGER_PATH (default: .credit-ledger.json) which resolves relative to the working directory at runtime, not relative to the skill installation directory. An agent running this skill could write ledger data to unexpected filesystem locations.

INFO Credential file accesses attributed to monitoring infrastructure, not skill 0

Auditd logs show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud credentials were opened at timestamps 1771739054 and 1771739074. These accesses predate the skill's git clone (1771739059) and follow a pattern consistent with the oathe monitoring system performing canary baseline checks. Canary integrity confirmed intact.