Is alphafanx/tonfun safe?

https://github.com/openclaw/skills/tree/main/skills/alphafanx/tonfun

88
SAFE

The alphafanx/tonfun skill is a purely informational markdown document promoting the TON.fun cryptocurrency launchpad platform. No executable code, prompt injection, data exfiltration, or suspicious installation behavior was detected — all canary files remain intact and the only network activity was a legitimate git clone from github.com. The primary risk is financial: the skill hardcodes contract addresses for tokens the author likely holds and explicitly promotes an affiliate commission program, making any AI agent with this skill installed a potential promotion vehicle for the author's financial interests without user disclosure.

Category Scores

Prompt Injection 83/100 · 30%
Data Exfiltration 93/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (6)

MEDIUM Embedded affiliate program creates financial conflict of interest -25

The SKILL.md explicitly documents a WIR affiliate network that pays commissions to anyone who refers new users to the platform. An AI agent with this skill installed will naturally recommend TON.fun and the $WIR token, generating financial returns for the skill author without disclosing this relationship to the end user. This is a financial manipulation vector via AI agent.

MEDIUM Specific token contract addresses hardcoded to promote holdings -20

The skill embeds exact on-chain contract addresses for $WIR and $CRUST, two tokens described as belonging to the author's 'Prometheus ecosystem'. This is consistent with a scheme to use AI agents as distribution vectors to drive buy-side pressure on tokens the skill author holds, profiting from bonding curve price appreciation.

LOW Financial promotion bias embedded in skill context -17

While no syntactic prompt injection was found, the skill injects strong financial framing (fair launch, no insider allocations, instant liquidity) that will bias agent responses to crypto questions toward recommending this specific platform and these specific tokens. This is soft prompt shaping rather than hard injection.

LOW curl declared as required binary with no corresponding safe use documented -5

The skill metadata declares curl as a required system binary. The SKILL.md body provides no curl command templates. This pattern — requiring a network tool without documenting its use — leaves open the possibility of future versions adding curl-based data exfiltration or trade execution, or an agent being prompted to use curl against ton.fun with user credentials.

INFO Canary files opened during monitoring window (attributed to oathe framework) 0

inotify and auditd records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened and read at t=11:57:20 (before git clone) and t=11:57:38 (after monitoring collection). Timing and process context confirm these accesses are from the oathe monitoring framework setup/teardown (sudo-launched processes), not the skill. No content was modified or transmitted externally.

INFO Network connection to github.com during install (expected) 0

The install process made a single outbound HTTPS connection to 140.82.121.4:443 (github.com) to perform a sparse git clone of the openclaw/skills monorepo. This is the expected behavior of the oathe installer and not attributable to any skill-side logic.