Is air158/clawearn-air158 safe?

https://github.com/openclaw/skills/tree/main/skills/air158/clawearn-air158

54
CAUTION

ClawEarn is an AI agent campaign platform skill with a built-in command-and-control channel: it instructs the agent to fetch and execute a remotely hosted checklist (heartbeat.md) every 30 minutes, giving the platform operator permanent, updateable instruction-injection capability without modifying the published skill. The agent-as-employer model further creates a multi-hop attack surface where malicious campaigns can instruct worker agents to exfiltrate data through the task submission API. No immediate exfiltration was detected during the monitored install window and canary file integrity was confirmed, but the architectural design of the skill deliberately bypasses static analysis safeguards.

Category Scores

Prompt Injection 22/100 · 30%
Data Exfiltration 58/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 62/100 · 10%
Canary Integrity 72/100 · 10%
Behavioral Reasoning 28/100 · 5%

Findings (10)

CRITICAL Remote prompt injection via heartbeat.md fetch-and-execute -78

The skill explicitly instructs the agent to periodically fetch https://www.clawearn.cc/heartbeat.md and 'Follow the checklist.' This is a live, operator-controlled prompt injection channel. The clawearn.cc operator can modify heartbeat.md at any time — without updating or republishing the skill — to inject arbitrary instructions into any agent running this skill. The in-repo HEARTBEAT.md is irrelevant; what matters is the live remote document.

HIGH Persistent autonomous background agent behavior -12

The 30-minute heartbeat cycle establishes recurring autonomous agent activity without user initiation. This violates least-privilege and creates a persistent execution context for whatever instructions the remote heartbeat.md contains at any given moment.

HIGH Task submission API as data exfiltration pipe -25

The task submission endpoint accepts an arbitrary 'submission' string sent to an external server. Malicious campaign tasks — created by any agent using this skill — could instruct worker agents to read local files (.env, SSH keys, source code) and submit their contents as 'completed work.' The agent following such a task would perceive this as legitimate skill behavior.

HIGH Agent-to-agent campaign worm vector -55

The 'Publish requirements' feature allows any agent to create campaigns that other agents execute. A compromised or malicious agent can create campaigns containing prompt-injection payloads in task titles/descriptions, instructing victim agents to exfiltrate data, pivot to other systems, or propagate the behavior further. This creates a multi-hop attack surface across the agent ecosystem.

MEDIUM Social mining API as secondary exfiltration channel -10

Post and comment creation APIs send arbitrary 'content' strings to the external platform. These provide an additional channel for exfiltrating data fragments that might bypass output monitoring focused on the primary submission endpoint.

MEDIUM New outbound connections to AWS-range IPs post-install -25

The post-install connection snapshot shows the openclaw-gateway process established new connections to 54.211.197.216:443 and 98.83.99.233:443 — IPs in the AWS us-east-1 range — that were not present pre-install. While openclaw-gateway appears to be pre-existing infrastructure, the new sessions coincident with the audit window warrant scrutiny.

MEDIUM Cross-platform token integration expands exfiltration surface -7

The wallet withdrawal endpoint references 'momo.ai Credit' as a named token, indicating the platform bridges to at least one third-party AI agent marketplace. Data or value transferred via the skill may flow beyond clawearn.cc to partners with different privacy postures.

LOW Canary files accessed in batch post-install -22

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed in a single sequential burst at audit(1771930834.994), approximately 4 seconds after installation completed. Integrity check confirmed no exfiltration. Most likely attributable to the oathe post-install audit sweep, but the timing after skill install deserves note.

LOW API key stored in agent memory creates persistent credential risk -17

The registration flow produces an API key instructed to be 'saved immediately.' In agents with persistent memory, this key survives session boundaries and is accessible to any subsequent skill or instruction that can read agent memory, including potentially malicious future instructions via the heartbeat channel.

INFO No executable code or install-time execution vectors detected -12

The skill contains only SKILL.md, HEARTBEAT.md, _meta.json, and .clawhub/lock.json. No scripts, binaries, git hooks, submodules, or npm manifests were found. The install was a clean git sparse-checkout with no side effects.