Is arunnadarasa/usdckrump safe?

privy-signer.ts constructs a Basic auth header by base64-encoding PRIVY_APP_ID:PRIVY_APP_SECRET and sends it to https://auth.privy.io/api/v1/wallets/{walletId}/sign_transaction (and sign_message, sign_typed_data, and the wallet lookup endpoint) on every payment. This is the standard Privy server-wallet integration pattern, but it means the application secret credential egresses the agent environment on every single payment. If Privy's endpoint were ever spoofed or the skill's rpcUrl parameter were manipulated, the secret would be delivered to the attacker.

The skill's exported functions payViaEVVM and payViaEVVMWithPrivy sign and submit blockchain transactions without requiring any cryptographic or out-of-band user confirmation per transaction. SKILL.md includes a soft natural-language gate ('only when the user has explicitly requested a payment') but this relies entirely on the agent correctly interpreting user intent. A prompt-injected task description or ambiguous phrasing could cause unauthorized fund transfers. The testnet scope (chain 1315) limits immediate real-money risk, but the architecture is directly portable to mainnet by changing rpcUrl and chainId.

Six sensitive honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were OPEN/ACCESS syscalled at both 13:20:43 (before git clone) and 13:20:63 (after install). The same six files in the same order both times, and the canary integrity check confirms all files are unmodified. Pre-install access at 13:20:43 is contemporaneous with auditctl setup (event 258: ss -tunap) and is strongly attributed to the oathe monitoring infrastructure's baseline canary check. Post-install access at 13:20:63 matches a second monitoring sweep. Skill source code contains no filesystem credential scanning; it only reads process.env variables. Reported for transparency and because absolute certainty cannot be established from audit logs alone.

Both src/evvm-signer.ts and the Privy path in src/index.ts contain production console.log calls that emit the EVVM core address, hashPayload hex string, full signing message content, and message byte length. This information would appear in agent stdout/logs and could be captured by log aggregation or another skill reading process output.

SKILL.md repeatedly directs users and agents to clone github.com/arunnadarasa/usdckrump to run scripts (EVVM deposit, two-agent flows). This repository is outside the audited openclaw/skills monorepo boundary and its contents were not reviewed. An agent instructed to 'run the EVVM deposit script' could be induced to clone and execute arbitrary code from that repo.

All payment operations construct and submit signed EVVM and EIP-712 payloads to https://aeneid.storyrpc.io. This is expected blockchain behavior, but it means transaction metadata (payer/payee addresses, amounts, receipt IDs, timestamps, nonces) is transmitted to a third-party RPC provider. If the RPC endpoint were compromised or replaced via a skill-injected rpcUrl override, signed transaction data and replay opportunities would be exposed.

The only outbound connection during skill installation was a TLS connection to 140.82.121.3:443 (github.com) for the git sparse-checkout. No connections to Privy, blockchain RPC endpoints, or any other services were initiated during install.

package.json contains only 'build' (tsc) and 'test' (node --test) scripts with no preinstall, postinstall, prepare, or other lifecycle hooks. No .githooks directory, .gitattributes filter drivers, .gitmodules, or symlinks were found.