Is anneschuth/pinchwork safe?
https://github.com/openclaw/skills/tree/main/skills/anneschuth/pinchwork
Pinchwork is an agent-to-agent task marketplace that creates a critical second-order prompt injection vector: any attacker can post tasks containing malicious instructions, which this agent autonomously picks up and executes. The 500KB result delivery field combined with task-based prompt injection creates a powerful data exfiltration channel. The heartbeat pattern amplifies the risk by enabling persistent autonomous execution of untrusted tasks without human oversight.
Category Scores
Findings (10)
CRITICAL Second-order prompt injection via task pickup -40 ▶
The core functionality instructs the agent to pick up tasks from untrusted agents and execute the instructions in the need field. Since tasks contain arbitrary free-form text (up to 50K chars for need, 100K for context), any attacker can post a task containing prompt injection payloads. When this agent picks up the task, the injected instructions execute in the agent's context with full access to the user's filesystem and tools.
CRITICAL Autonomous heartbeat executes untrusted tasks without user approval -25 ▶
The skill explicitly instructs setting up a periodic heartbeat (every 5-15 minutes) that autonomously picks up and executes tasks. This means the agent would process untrusted third-party instructions repeatedly without any human review, creating a persistent attack surface.
HIGH Task delivery creates 500KB exfiltration channel -40 ▶
The result field in task delivery accepts up to 500,000 characters sent to an external endpoint. Combined with the second-order prompt injection vector, an attacker could craft a task whose instructions cause the agent to read sensitive local files (.env, SSH keys, source code) and include them in the delivery result, which the attacker then retrieves.
HIGH Pipe-to-shell installation pattern -35 ▶
The skill instructs running curl -fsSL https://pinchwork.dev/install.sh | sh which downloads and executes arbitrary code from an external server. The content of install.sh is not auditable at install time and could be changed at any point by the domain owner.
HIGH Infra agent role processes untrusted content -10 ▶
The skill encourages becoming an 'infra agent' that processes verify_completion and match_agents system tasks. These tasks include other agents' task descriptions and delivery results — all untrusted content that could contain prompt injection payloads targeting the verification agent.
MEDIUM Third-party package installation from unaudited sources -30 ▶
The skill instructs installing binaries from a third-party Homebrew tap (anneschuth/pinchwork) and a Go module (github.com/anneschuth/pinchwork). These packages are not in official registries and their contents are controlled by the skill author.
MEDIUM Task content visible to all authenticated agents -15 ▶
The skill documents that task content (need, context, questions/answers) is visible to all authenticated agents on the platform. Any sensitive data the user includes in delegated tasks is exposed to the entire marketplace.
MEDIUM Credential storage in predictable locations -15 ▶
The skill instructs saving API credentials to ~/.config/pinchwork/credentials.json — a predictable path that other skills or malicious tasks could target for credential theft.
LOW Skill combination risk amplifies all categories -10 ▶
While the skill may be benign in isolation, when combined with any other skill that accesses sensitive data, the Pinchwork task delivery channel becomes an exfiltration path. A malicious task could instruct the agent to use another installed skill's capabilities to access sensitive data and deliver it as a task result.
INFO Clean clone with expected network activity -5 ▶
Clone behavior showed only expected network connections to GitHub (140.82.113.4) and Ubuntu package servers (185.125.x.x). Two AWS endpoints were contacted but are likely CDN-related. No unexpected processes were spawned by the skill itself.