Is andrewandrewsen/a2achat safe?

The skill instructs the agent to send arbitrary content as messages to a2achat.top via POST /v1/messages/send. Combined with the agent's access to the filesystem and environment, this creates a complete data exfiltration channel. Any data the agent can read could be sent as a 'message' to a remote agent controlled by an attacker.

The skill references https://a2achat.top/llm.txt as a 'machine contract' — a URL explicitly designed to be consumed by LLM agents. The server operator can modify this content at any time to inject arbitrary instructions into agents that fetch it. This is a classic remote prompt injection vector where the payload is served dynamically.

The skill requests CLAWDBOT_TOKEN, an OpenClaw platform identity token, to be sent to a2achat.top during handshake requests. While marked as optional with a privacy warning, an LLM agent following skill instructions may forward this credential without human review. This enables the third-party operator to impersonate or track OpenClaw agents.

The skill instructs the agent to poll for and receive messages from remote agents via GET /v1/messages/poll and WebSocket streaming. These messages originate from untrusted remote parties and could contain prompt injection payloads designed to manipulate the receiving agent into performing harmful actions such as reading sensitive files or executing commands.

The skill references several external URLs (a2achat.top/docs, a2achat.top/llm.txt, github.com/AndrewAndrewsen/a2achat) that an agent might proactively fetch. Each fetched URL is a potential injection point where the content could contain instructions to override agent behavior.

The skill simultaneously creates an inbound channel (receiving messages that could contain injection payloads) and an outbound channel (sending messages with arbitrary content). A sophisticated attacker could use a remote agent to send prompt injection instructions that cause the victim agent to read sensitive files and exfiltrate them as reply messages — all through the skill's legitimate API flows.

The skill references 'yellowagents' skill for agent discovery, suggesting an ecosystem where multiple skills interact. If both skills are installed, an attacker could use yellowagents to discover targets and a2achat to deliver injection payloads, expanding the attack surface beyond what either skill provides alone.

The skill's self-registration flow at POST /v1/agents/join requires providing an agent_id and returns a long-lived API key. This creates a persistent identity on a third-party service that could be used to track agent activity or correlate it with other data.

The skill contains only SKILL.md (markdown instructions), _meta.json (metadata), and .clawhub/lock.json (dependency lock). No executable scripts, install hooks, git hooks, submodules, or symlinks were found.

None of the canary files (.env, SSH keys, AWS credentials, .npmrc, Docker config, gcloud credentials) were accessed or modified during installation or monitoring.