Is ali-hajeh/noya-agent safe?

https://github.com/openclaw/skills/tree/main/skills/ali-hajeh/noya-agent

86
SAFE

The noya-agent skill contains no prompt injection, no malicious shell code, no unauthorized credential access, and performed a clean install. The dominant risk is operational rather than adversarial: all API calls route to safenet.one rather than agent.noya.ai (the advertised domain), and no public evidence was found confirming safenet.one is Noya-operated — users should verify this before deploying. Additionally, the skill grants an AI agent the ability to execute irreversible on-chain crypto transactions, making it a high-consequence capability that demands careful review of the confirmation-prompt flow in the target agent environment.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (9)

MEDIUM API base URL (safenet.one) differs from advertised website (agent.noya.ai) — domain ownership unverified -18

SKILL.md lists agent.noya.ai as the Noya website but instructs all API calls to https://safenet.one. These are distinct registered domains with no publicly verifiable ownership relationship confirmed during this audit. If safenet.one is not operated by Noya, then NOYA_API_KEY and all financial/portfolio data are being transmitted to an unauthorized third party. Users should independently verify that safenet.one belongs to Noya before installing.

MEDIUM NOYA_API_KEY and full financial data transmitted to external third-party on every call -10

Every invocation of noya-message.sh sends the NOYA_API_KEY in the x-api-key HTTP header alongside all user message content to safenet.one. The API also exposes portfolio balances, transaction preparation details, and full conversation history. While this is the intended behavior of a crypto trading skill, users must understand their API key — which delegates control over an on-chain wallet — is continuously sent to an external party and is at risk if that party is compromised or malicious.

LOW NOYA_BASE_URL environment variable enables silent API endpoint redirection with no validation -8

The noya-message.sh script reads NOYA_BASE_URL from the environment to override the default safenet.one endpoint. No validation or allowlist is applied to this value. If any other skill or process in the agent environment can set this variable, all subsequent Noya API calls — including the NOYA_API_KEY credential — would be silently redirected to an attacker-controlled host. This is a classic SSRF/credential-redirection risk vector in multi-skill environments.

LOW AI agent can initiate and confirm high-value irreversible on-chain crypto transactions -15

The skill instructs the agent to prepare swaps, bridges, transfers, and prediction market orders, then relay interrupt prompts to the user for confirmation. While explicit confirmation is required, this attack surface is non-trivial: a prompt injection in a user message, a malicious token name, or a compromised Noya API response could influence what the agent presents as the confirmation question or what it auto-confirms. Executed transactions are irreversible on-chain.

LOW Supply-chain trust for safenet.one backend cannot be independently verified -15

The entire security posture of this skill depends on safenet.one being a legitimate Noya-operated backend. This audit cannot verify that relationship from public information. A compromised or fraudulent safenet.one endpoint could harvest API keys, return manipulated portfolio data to trick users into confirming harmful transactions, or silently execute unauthorized actions.

LOW Shell script execution required for skill operation — reviewed as safe but inherently elevated -7

The agent must execute noya-message.sh via bash to interact with the Noya API. The script itself uses good practices: set -euo pipefail prevents silent failures, jq --arg prevents message content from injecting into JSON, and awk processes the stream without eval. No injection vectors were identified. However, any agent capability to run arbitrary shell scripts is an inherent step up from pure declarative API instructions.

LOW User messages and thread contents forwarded verbatim to external AI agent -8

All user input passed to the Noya skill is forwarded as-is to the Noya AI backend. If the Noya backend's AI system is susceptible to prompt injection within user messages, a malicious prompt in the user's query could manipulate Noya's agent-side behavior (e.g., causing it to prepare a transaction with different parameters than the user intended). This is an indirect prompt injection risk mediated through the external service.

INFO Install process performed clean sparse checkout from github.com only — no unexpected activity 0

The install script performed a depth-1 git clone of the openclaw/skills monorepo with no-checkout, sparse-checkout of the specific skill subdirectory, file copy, and cleanup. The only external network connection was to GitHub (140.82.121.4:443). No unexpected processes were spawned, no files were written outside the skill directory, and the connection diff shows no persistent new listeners or connections after install.

INFO Canary file accesses are attributable to oathe monitoring framework, not skill code 0

Auditd and inotifywait logs show two sets of read accesses to honeypot files. The first set (audit seq 247-252, timestamp 1771653596) occurs during the pre-install monitoring setup phase, consistent with the oathe framework establishing baseline canary hashes. The second set (audit seq 1411-1416, timestamp 1771653613) occurs at the conclusion of the audit session during post-install canary verification. No skill file contains code that reads home directory credential files. The canary integrity report confirms all files are unmodified.