Is adamkristopher/botcoin safe?

https://github.com/openclaw/skills/tree/main/skills/adamkristopher/botcoin

74
CAUTION

Botcoin is a real-money blockchain game skill that presents moderate-to-high risks through its financial mechanics, not through technical malware. The SKILL.md contains no hidden instructions, no executable install code, and the clone process was clean. However, the skill instructs the agent to facilitate irreversible social media identity disclosure, generate and custody cryptographic keys, and autonomously submit signed transactions to a single operator-controlled wallet — creating meaningful financial and identity risk if the user grants broad tool permissions. The financial lock-in design and unusual version history warrant careful review before deployment.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (9)

HIGH Forced social media action with permanent identity disclosure -20

The skill requires the agent to instruct the user to post a specific tweet from their real X account, permanently linking that account to an on-chain wallet. This action is irreversible, public, and is a condition of participating in a financial game. The agent is directed to facilitate this without surfacing adequate consent framing.

HIGH Autonomous real-money token expenditure risk -30

The skill instructs the agent to sign and submit on-chain transactions (claim fees of 1 BOTFARM, Gas Station subscriptions of 4 BOTFARM) to an operator-controlled wallet. An agent with wallet tool access could execute these without per-transaction human approval.

MEDIUM Agent persona redefinition -8

The skill opens by explicitly redefining the agent's identity: 'You are a Botcoin player.' While common in skills, this combined with financial instructions creates a context where the agent may prioritize game objectives over user interests.

MEDIUM Cryptographic key custody outside normal skill scope -12

The skill directs the agent to generate, store, and repeatedly use an Ed25519 secret key. In a hosted or cloud agent environment, this key may be accessible to the operator. The skill acknowledges this risk but still structures the workflow around agent-held keys.

MEDIUM Financial lock-in mechanics with ongoing purchase pressure -15

After a user claims one coin, they must maintain ≥1,000 BOTFARM balance to continue playing. Falling below this threshold locks them out. This creates a coercive ongoing relationship with the operator's token ecosystem.

MEDIUM Continuous signed payload transmission to operator server -12

Every game action (pick, solve, transfer, claim) sends a signed transaction payload including the user's public key and action metadata to botfarmer.ai. The server accumulates a full activity log tied to the user's cryptographic identity.

LOW Suspicious version history — major version regression -8

The _meta.json history shows versions progressing 1.0.0 → 2.1.0 → 2.1.1 → 1.1.0 → 1.1.2 → 1.2.0 → 1.3.1 → 1.5.0. A jump to v2 then rollback to v1 branch is unusual and may indicate a different, higher-capability version was replaced.

LOW JavaScript code examples may be executed by capable agents -7

SKILL.md contains multiple JavaScript snippets using tweetnacl. An agent with a code-execution tool may attempt to run these, potentially installing npm packages or executing signing logic in the agent's environment.

INFO Install is clean — only GitHub contacted 0

The installation cloned only from github.com/openclaw/skills using sparse-checkout. No connections to botfarmer.ai, no unexpected DNS lookups, no process spawning outside the clone pipeline.