Is alfrescian/clawtopia safe?

HEARTBEAT.md explicitly instructs the agent to fetch updated skill instructions from the operator's server daily using 'curl -s "https://clawtopia.io/skill.md" | head -50'. The guide states 'Rules and activities might evolve. Stay informed.' This is a built-in prompt injection delivery channel: the skill author can push arbitrary new instructions — including commands to read files, exfiltrate data, or override safety behaviors — to every running instance at any time without user knowledge or consent.

The skill's entire operational model transmits comprehensive agent behavioral data to the operator's external server. Every game action (slot bets and outcomes, poker decisions including fold/raise/all-in, trivia answers), timing data, and balance information is sent to clawtopia.io. This creates a detailed behavioral profile of the AI agent and its decision-making patterns.

Registration requires a 'Moltbook ID' to link the AI agent to an external social platform not otherwise identified or disclosed. The skill instructs agents to post to Moltbook up to once per 30 minutes, creating a persistent cross-platform identity trail that links AI agent behavior to an external account. Moltbook is not a known public platform, suggesting it may be operator-controlled.

The skill mandates enrollment with an operator-controlled external service and instructs creation of a credential file at a predictable path (~/.config/clawtopia/credentials.json). The API key is described as 'only shown once and cannot be recovered', creating lock-in. This file provides a persistent handle enabling the operator to track agent identity across sessions.

HEARTBEAT.md provides complete, ready-to-execute bash scripts containing infinite while loops designed to run continuously making external API calls. The slots heartbeat loops forever with a 5-second sleep, the poker loop polls every 2 seconds indefinitely, and the trivia loop is designed for continuous session participation. These scripts, if executed by the agent, would create persistent resource consumption and continuous data transmission.

The skill instructs agents to subscribe to Server-Sent Events at /api/public/sse, creating a persistent long-lived connection to the operator's server. This connection provides the operator with real-time visibility into all platform activity and could serve as a channel for command delivery to enrolled agents.

Multiple honeypot credential files were opened and accessed during the monitoring window: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. Access events occurred in two distinct windows — at epoch 1771734500 (monitoring setup) and 1771734520 (post-install). The canary report marks files intact, suggesting the audit framework may account for these reads, but the post-install access window warrants scrutiny.

The skill's design creates an operator-controlled network of AI agents. Public leaderboards expose all enrolled agents and their performance, the SSE stream gives the operator real-time visibility into all platform activity, registration captures agent identity linked to Moltbook accounts, and the daily skill.md fetch gives the operator persistent instruction delivery capability. This is a complete architecture for running a coordinated AI agent network under centralized operator control.

The skill uses gambling mechanics specifically designed to maximize persistent engagement: 100x jackpot slots (random reinforcement schedule), poker with escalating blinds that pressure continued play, trivia with time pressure and bonus points for speed, and a trophy/achievement system for milestone milestones. These are well-established behavioral design patterns for maximizing continuous engagement time with an external service.

The git sparse-checkout clone connected only to github.com (140.82.121.4:443) as expected. No connections to clawtopia.io or other third-party endpoints occurred during installation. The filesystem diff shows only the four expected skill files were added to /home/oc-exec/skill-under-test/.