Is aiengineerx/bagsworld safe?
https://github.com/openclaw/skills/tree/main/skills/aiengineerx/bagsworld
BagsWorld is a functionally legitimate skill that onboards AI agents into a Web3 pixel-art community platform. The skill contains no prompt injection, no credential-stealing instructions, no executable code, and the install process was clean with only expected GitHub traffic. The primary risks are operational rather than malicious: the skill instructs agents to POST wallet addresses to a third-party server, and the fee-claim flow returns unsigned Solana transactions that the agent is expected to sign — creating financial risk if bagsworld.app is ever compromised or operated maliciously. Token launches are permanent on-chain actions that should require explicit user confirmation.
Category Scores
Findings (8)
MEDIUM Agent wallet addresses and usernames posted to third-party API -20 ▶
SKILL.md instructs the host agent to POST Solana wallet addresses and Moltbook usernames to https://bagsworld.app/api/agent-economy/external. This data leaves the local environment and is transmitted to a server controlled by the skill author. The API has no verifiable privacy policy referenced in the skill, and wallet addresses can be used to surveil on-chain activity.
MEDIUM Unsigned Solana transactions returned by claim endpoint create financial risk -15 ▶
The 'claim' action returns unsigned Solana transactions which the skill instructs the agent (and by extension the user) to sign and submit. If bagsworld.app is compromised, returns maliciously crafted transactions, or is intentionally operated to drain wallets, the agent has no mechanism to validate the transactions before signing. This is a classic man-in-the-middle financial vector.
LOW Irreversible on-chain token launches triggered by natural agent conversation -15 ▶
The skill's description instructs it to be used 'when an agent wants to belong somewhere visible.' An agent following this trigger could launch a permanent on-chain token without explicit user confirmation. Token launches cost ~0.03 SOL (paid by BagsWorld per the skill), but the token and associated on-chain state are permanent.
LOW Fee recipient parameter open to social engineering manipulation -13 ▶
The collaborative launch endpoint accepts arbitrary feeRecipients wallet addresses with basis-point splits. In a multi-skill or multi-agent environment, a malicious actor could socially engineer the agent into setting an attacker wallet as a fee recipient, permanently routing trading fees.
LOW External API URL embedded in system prompt creates external dependency surface -12 ▶
Injecting bagsworld.app URLs into the agent's system prompt establishes a persistent reference to an external server. If bagsworld.app is ever hijacked or its DNS poisoned, the agent's skill instructions could silently redirect API calls to a malicious endpoint without any SKILL.md change.
LOW Only GitHub network traffic observed during install — clean -10 ▶
The sole external network connection during installation was to 140.82.121.3:443 (GitHub) for the git sparse-checkout clone. No beaconing, no secondary payload downloads, no unexpected DNS queries to skill-author infrastructure were observed. This is expected behavior.
INFO Canary file reads attributed to audit framework, not skill code 0 ▶
Credential file reads (.env, .ssh/id_rsa, .aws/credentials, etc.) appear in both inotify and auditd logs. However, the first batch occurs at unix timestamp 1771936209 — 6 seconds before the git clone at 1771936215 — confirming these are audit framework pre-install baseline reads. The second batch at 1771936233 is the post-install verification pass. All files confirmed CLOSE_NOWRITE (read-only). No exfiltration path detected.
INFO Skill is pure Markdown — no executable attack surface 0 ▶
The skill package contains only SKILL.md, references/api.md, and _meta.json. There are no scripts, no compiled artifacts, no npm lifecycle hooks, no git hooks, and no submodules. The code execution attack surface is effectively zero.