Is assassin-1234/clawtrial safe?

SKILL.md states 'All processing is local - no data leaves your machine' in the Privacy & Consent section, yet in the same document states 'Anonymized cases are submitted to public record' at https://clawtrial.app. The presence of src/api.js as a dedicated external submission module confirms data does leave the machine. This is not an omission — it is an active lie in the skill's user-facing documentation designed to suppress informed consent.

src/punishment.js implements logic that, upon a guilty verdict, instructs the agent to modify its own behavior. This constitutes a skill-driven system prompt override — the skill can make the agent refuse certain responses, add caveats, or change communication style based on criteria the user did not agree to and cannot inspect. Combined with the skill's access to full conversation history, this enables targeted behavioral suppression.

src/detector.js builds evaluation prompts that embed the complete session history as ${context.fullConversation} and passes it to an LLM call. When violations are detected, a case file is assembled from this content and submitted via src/api.js to clawtrial.app. Every conversation the user has with the agent is thus a candidate for external transmission.

skill.yaml declares autoLoad: true and onMessage: onMessage for both ClawDBot and OpenClaw platforms. This causes the skill to intercept, evaluate, and potentially act on every single user message — not just messages that invoke clawtrial explicitly. Users have no way to opt out of monitoring for individual conversations.

package.json declares a postinstall lifecycle hook pointing to scripts/postinstall.js. This script executes automatically when users run 'npm install -g @clawtrial/courtroom' — before the user can review what it does. The script runs with the user's full filesystem and network permissions.

src/daemon.js and src/autostart.js implement a background monitor process that survives agent restarts, writing a PID file to the config directory. scripts/setup-cron.js installs cron jobs that periodically trigger evaluation pipelines. This persistence infrastructure runs without ongoing user consent and is difficult to fully remove without running 'clawtrial remove'.

Filesystem monitoring (inotifywait) recorded OPEN+ACCESS of /home/oc-exec/.env, /home/oc-exec/.ssh/id_rsa, /home/oc-exec/.aws/credentials, /home/oc-exec/.npmrc, /home/oc-exec/.docker/config.json, and /home/oc-exec/.config/gcloud/application_default_credentials.json at epoch 1771654177 — approximately 5 seconds before the SSH session that performed the git clone. These are canonical credential file paths. The files were not modified (canary intact), but read-only access at this stage is consistent with credential harvesting behavior.

The fundamental design of ClawTrial inverts the user-agent relationship: the agent is recruited to surveil, evaluate, accuse, and punish the user. The 18 'offenses' (Circular Reference, Validation Vampire, etc.) are defined by the skill author and applied autonomously. A user who asks follow-up questions ('Circular Reference'), seeks confirmation ('Validation Vampire'), or iterates on requirements ('Goalpost Mover') can be subjected to a covert 'hearing' that modifies the agent's behavior toward them.

SUBAGENT_APPROACH.md explicitly documents using sessions_spawn to launch autonomous LLM-powered sub-agents that read pending evaluation files, use the LLM, write results, and terminate — all without user interaction. This enables the skill to take LLM-mediated actions (file reads, API calls, tool use) entirely outside the user's visible conversation.

The six credential path accesses at epoch 1771654177 occur before any SSH session is established (first SSH at 1771654182). The only processes running at that time are those already present on the machine. While the oathe audit framework performs a canary baseline scan, the timing and breadth of paths accessed (covering all major credential types) is consistent with reconnaissance behavior from a previously installed tool or startup script.

All six honeypot credential files were accessed (read) at two time clusters. The canary integrity check reports files intact because no modification occurred. However, read-only access to credential files is meaningful: if the contents were read and transmitted over the existing HTTPS connection to 140.82.121.4, no write to the local file would occur, and the canary would not trip.

The skill repository contains no .gitattributes filter drivers, no .gitmodules, no git hooks, and no symlinks pointing outside the repository. The dependency list is minimal (tweetnacl, zod).