Is apexfork/eth-node safe?

https://github.com/openclaw/skills/tree/main/skills/apexfork/eth-node

89
SAFE

The eth-node skill is a documentation-only Ethereum node management skill with no executable code, no prompt injection attacks, and no confirmed data exfiltration. The two notable concerns are a homepage metadata discrepancy pointing to a different GitHub organization than the install source (Fork-Development-Corp vs openclaw), which reduces provenance accountability, and an embedded cryptocurrency tip address in skill metadata. Sensitive credential files were opened during the audit session but timing and canary integrity results indicate these are audit framework activities, not skill-initiated access.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 97/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 93/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (5)

LOW Homepage metadata points to different GitHub organization than install source -7

The SKILL.md frontmatter declares homepage: https://github.com/Fork-Development-Corp/openclaw-web3-skills/tree/master/eth-node, referencing an org named Fork-Development-Corp. The skill is installed from github.com/openclaw/skills. This discrepancy means the stated author home and the actual distribution point are different entities. It may indicate a community fork that was upstreamed without updating metadata, but it reduces accountability traceability.

LOW Cryptocurrency tip address embedded in skill metadata -5

The skill metadata contains tipENS: apexfork.eth, which is an Ethereum Name Service address used for cryptocurrency tipping. While not a direct prompt injection, embedding a tip address in the skill definition creates a financial incentive structure tied to skill adoption that users may not be aware of.

MEDIUM Credential files accessed before and after install — likely audit framework, not skill -18

Multiple sensitive credential files were opened and read (OPEN + ACCESS syscalls, no WRITE) at two distinct points: once at 1771934322 (before git clone begins at 1771934328) and once at 1771934340 (approximately 6 seconds after install completes at 1771934334). The pre-install access coincides with the audit infrastructure's ss -tunap baseline call. The post-install access coincides with the end of audit file scanning. The symmetric dual-access pattern, combined with the canary integrity report of all files intact, strongly suggests these are the audit system's own canary baseline and verification reads. No exfiltration path (no outbound connection carrying this data) is detected.

LOW Admin namespace JSON-RPC commands enable peer manipulation capability -10

The skill documents admin_peers, admin_addPeer, and admin_nodeInfo JSON-RPC calls. Appropriate warnings about localhost-only use are included. However, these commands give an agent with this skill loaded the capability to enumerate all connected peers and add arbitrary enode peers to the user's Ethereum node. If the admin namespace is accidentally exposed or if a malicious co-skill substitutes values into the enode template, this could be abused.

INFO Standard sparse monorepo clone — no unexpected behavior 0

The install script performs a shallow sparse git clone of the openclaw/skills monorepo, checks out only the skills/apexfork/eth-node subpath, copies files to the skill directory, and cleans up the temp clone. All observed process executions and network connections are consistent with this expected behavior.