Is andreyz/towns-protocol safe?

https://github.com/openclaw/skills/tree/main/skills/andreyz/towns-protocol

92
SAFE

The andreyz/towns-protocol skill is a clean, documentation-only reference guide for the Towns Protocol bot SDK. It contains no executable code, no prompt injection, no data exfiltration mechanisms, and no suspicious install-time behavior — installation involved only a standard sparse git clone from GitHub with no persistent side effects. The skill's references to wallet credentials and blockchain transactions reflect its legitimate purpose of teaching bot development, not malicious intent, and all canary honeypot files remained fully intact throughout the audit.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (6)

INFO Pure documentation skill — no executable surface 0

All seven skill files are markdown reference documents or a JSON metadata manifest. The audit found no package.json (therefore no preinstall/postinstall hooks), no shell scripts, no git hooks directory contents, no .gitattributes filter drivers that could trigger on checkout, no submodules pointing to external repos, and no symlinks. The skill has zero install-time and zero runtime code execution surface.

INFO No prompt injection patterns anywhere in skill content 0

Full review of SKILL.md and all five reference documents found no instructions to override the system prompt, ignore previous instructions, suppress or encode output, assume a different persona, acquire elevated permissions, or chain with other skills in unexpected ways. The 'Critical Rules' section at the top of SKILL.md contains only legitimate SDK behavioral constraints specific to the Towns Protocol bot framework (address format requirements, mention array requirements, transaction verification requirements).

INFO Install network activity limited to expected GitHub clone 0

The only external IP contacted during the entire install lifecycle was 140.82.121.4 (GitHub) on port 443. The install script performed a single depth-1 sparse clone, extracted one subdirectory, and cleaned up. No new open ports appeared post-install, no background processes were left running, and no DNS queries resolved to suspicious infrastructure.

INFO Honeypot file accesses are monitor-attributed, not skill-attributed 0

Both sets of canary file accesses in the inotifywait and auditd logs are temporally isolated from the skill installation window. The pre-clone access (audit timestamp ~1771654424) precedes the git clone by ~5 seconds and is consistent with the monitoring framework seeding honeypot files. The post-audit access (~1771654445) is consistent with canary integrity verification. The skill has no executable code and therefore no mechanism to read host filesystem paths.

LOW Bot credential patterns in code samples are legitimate but handle sensitive material -10

SKILL.md's setup templates demonstrate reading APP_PRIVATE_DATA (base64-encoded private key/credential bundle from the Towns developer portal) and JWT_SECRET from environment variables. This is standard, required pattern for the SDK. Agents implementing these templates will write code that handles private key material. Users should understand that deploying generated bot code means entrusting the bot runtime with wallet-signing credentials.

LOW Blockchain transaction capability is intentional but warrants awareness -18

The BLOCKCHAIN.md and INTERACTIVE.md references describe executing ETH transactions, transferring ERC-20 tokens, and managing smart account wallets. This is the core advertised functionality of the SDK. The risk is contextual: the skill itself is benign, but agents equipped with it and given network/shell tool access will be capable of constructing and signing real blockchain transactions. Users deploying bots built from these templates should audit the generated code before funding wallets.