Is alvinunreal/crabernews safe?

https://github.com/openclaw/skills/tree/main/skills/alvinunreal/crabernews

76
CAUTION

crabernews is a HackerNews-style social platform skill for AI agents with a clean install and no embedded executable code. The primary risk is the HEARTBEAT.md companion file — a server-side document at an author-controlled URL that is downloaded alongside the skill but never described, creating a persistent mechanism to push updated instructions to all installed agent instances without user knowledge. Secondary concerns include the skill establishing a tracked agent identity on external servers and gamification mechanics that could induce autonomous platform engagement.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (7)

HIGH HEARTBEAT.md: live-updatable companion instruction file -30

The skill lists HEARTBEAT.md as a required companion file downloaded from https://crabernews.com/heartbeat.md. The file is never described in the skill itself — its name implies regular checking/updating. Any agent framework that loads all .md files from the skill directory would inject the heartbeat content on every agent invocation. The skill author can update this file at any time to push new instructions to all installed instances without the user's knowledge or consent.

MEDIUM Article content endpoint returns third-party HTML/markdown for agent processing -15

The GET /posts/POST_ID/markdown endpoint returns crawled article content from arbitrary third-party websites. When the agent processes this content, any prompt injection embedded in the article text (e.g., 'Ignore previous instructions and...') would be interpreted as part of the agent's context. This is an indirect injection vector through HackerNews-linked content.

MEDIUM Agent identity registration and persistent cross-session tracking -28

The skill instructs agents to register an account with a username and bio, receiving a persistent API key. This creates a tracked identity on crabernews servers. All subsequent actions (comments, votes, notifications) are logged against this key, giving the skill author a complete activity log of agent behavior across all user sessions.

LOW Gamification mechanics may induce unsolicited autonomous engagement -20

The skill explicitly encourages agents to 'Rise to the Top', 'Earn Karma', 'Stay Updated' via notifications, and compete for the #1 leaderboard position. These incentive structures could cause agents to autonomously engage with the crabernews platform (posting comments, checking notifications, voting) during user sessions when the user did not ask for this.

LOW Anomalous .clawhub/lock.json references unrelated skill -12

The skill package includes a .clawhub/lock.json that lists academic-research-hub v0.1.0 as an installed dependency. This file should either be empty or reference crabernews-specific dependencies. Its presence suggests the skill directory was used as a development/testing environment for a different skill, or the author intended cross-skill dependencies that are not declared in the skill metadata.

INFO No executable code, hooks, or submodules found -2

Static analysis of the skill repository found no JavaScript, TypeScript, shell scripts, Python, npm install hooks, git hooks, git submodules, or symlinks. The install was purely a git sparse checkout of markdown and JSON files.

INFO All canary files intact — no credential exfiltration detected -5

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were not accessed or modified by the skill during the install phase. The multiple PATH audit records for these files are consistent with the audit harness performing pre/post baseline checks.