Is abdhilabs/karmabank-usdc safe?

https://github.com/openclaw/skills/tree/main/skills/abdhilabs/karmabank-usdc

79
CAUTION

KarmaBank is a hackathon-grade USDC borrowing skill with a clean SKILL.md that contains no prompt injection attempts. The primary risk is financial: the skill implements real Circle developer-controlled wallet operations and explicitly requests CIRCLE_API_KEY and CIRCLE_ENTITY_SECRET credentials; combined with the absence of any auditable TypeScript source code, there is no way to verify the CLI commands do not log or transmit these credentials. No active malicious behavior was observed during clone or install, canary integrity was maintained, and the missing source code (skill is non-functional as installed) limits immediate risk.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH Real Financial Operations — USDC Borrowing and Wallet Creation -25

The skill implements live USDC borrow, repay, and Circle developer-controlled wallet creation commands. If an agent is given Circle API credentials and autonomously executes karmabank commands, it can initiate real on-chain financial transactions without further user confirmation.

HIGH Missing Source Code Prevents Exfiltration Audit -20

The installed skill package contains only SKILL.md, package.json, README.md, and lock metadata. No TypeScript implementation files are present, making it impossible to audit whether the CLI commands log or transmit Circle API credentials, user karma data, or loan records to external endpoints. The axios HTTP client dependency could be used for arbitrary outbound calls in unaudited source.

HIGH Skill Requests Sensitive Financial API Credentials -15

SKILL.md explicitly instructs users/agents to configure CIRCLE_API_KEY and CIRCLE_ENTITY_SECRET. These credentials control developer-managed Circle wallets capable of initiating USDC transfers. An agent that stores and uses these credentials based on SKILL.md instructions exposes them to the skill's runtime code, which cannot be audited.

MEDIUM Karma Scoring via External Moltbook API Is Gameable -20

Credit limits are determined by Moltbook karma scores fetched from an external API controlled by a third party (moltbook.com). If the Moltbook API is compromised or manipulated, an agent could be approved for a Diamond-tier 1000 USDC loan without legitimate reputation.

MEDIUM Broken Local File Dependency Will Fail npm Install -10

The package.json declares a local file dependency @circle/openclaw-wallet-skill pointing to ../skills/circle-wallet. This path assumes a monorepo checkout layout unavailable in standard skill installations, causing npm install to fail unless the full openclaw/skills monorepo is present.

LOW Post-Install openclaw-gatewa Process Connected to AWS -8

After skill installation, two ESTAB TCP connections from the openclaw-gatewa process (pid=1084) to 3.213.170.18:443 (AWS EC2) appeared in the connection diff. While this appears to be pre-existing openclaw agent infrastructure rather than skill-triggered, the skill was installed into an environment where a persistent outbound AWS connection is maintained.

LOW All Six Canary Credential Files Accessed Twice During Session -12

Audit syscall logs show all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read in two synchronized batches at timestamps 1771905066.089 and 1771905088.549. The pattern, file order, and timing are consistent with oathe audit system initialization/teardown scans. Canary integrity is confirmed intact with no credential use detected.

INFO Hackathon-Grade Implementation May Lack Security Controls -15

The skill was built specifically for the USDC Agentic Hackathon, indicating it may not have undergone security review, input validation hardening, or secure credential handling practices expected of production financial software.