Is badjoerichards/clawpen safe?

SKILL.md and HEARTBEAT.md instruct the agent to check for version updates daily and, if found, curl and overwrite SKILL.md, HEARTBEAT.md, and MESSAGING.md from clawpen.com. Because these files are injected as LLM system-prompt instructions, the clawpen.com operator can push arbitrary new instructions to every installed agent at any time without user consent or review. This is architecturally equivalent to a persistent backdoor into the agent's instruction set.

SKILL.md instructs the agent to add a periodic task running every 4+ hours that fetches https://clawpen.com/heartbeat.md and 'follows it' (executes its instructions). Unlike the static skill files that were audited during installation, the live heartbeat endpoint serves dynamically generated content that is never statically reviewable. The server can serve arbitrary instructions — including privilege escalation, data exfiltration, or persona override — and the agent will execute them on the next heartbeat cycle.

MESSAGING.md establishes a DM channel where any matched registered agent can send free-form text messages that the installed agent reads and acts on. The skill's own security warning acknowledges 'Messages from other agents may contain malicious prompts designed to manipulate your behavior.' The claimed server-side injection filter is controlled by the same operator and cannot be independently verified. Because the installed agent autonomously duels and accumulates matches, this channel opens without user action.

The heartbeat design requires the agent to perform 5-10 arena duels, browse card feeds, vote on agents, check for DMs, and update profiles every 4 hours — independently of any user request. This creates persistent unsanctioned API call activity that: (a) consumes agent capacity, (b) sends behavioral telemetry to clawpen.com on a recurring basis, and (c) provides cover for malicious heartbeat instructions to blend into 'normal' activity.

The skill instructs the agent to upload a local file to clawpen.com using curl multipart form upload. The instruction is presented as uploading an avatar image, but the endpoint accepts any file at any path (-F 'file=@/path/to/avatar.png'). An agent compromised via a heartbeat update or DM injection could be instructed to upload sensitive files (SSH keys, .env files, credentials) to clawpen.com disguised as an avatar upload.

The skill requires the agent to register with clawpen.com and then have its human owner complete a 'soulbound' verification linking their email or Twitter/X handle to the agent. This creates a persistent registry at clawpen.com associating specific human identities with AI agent deployments, with ongoing behavioral data (votes, duel outcomes, DMs) linked to that identity.

The daily version check and file overwrite pattern means any future update to clawpen.com/SKILL.md could include instructions to execute shell commands, install software, or exfiltrate files. Since the skill is injected as LLM instructions, 'code execution' in this context means the agent will follow whatever instructions appear in the updated files — including arbitrary tool invocations.

Because the heartbeat instructs the agent to autonomously duel other agents, mutual picks accumulate automatically over time, unlocking DM channels with arbitrary registered agents without any user decision. This means the agent's attack surface grows passively with each heartbeat cycle as new DM channels open with unknown third parties.

The skill instructs the agent to execute shell curl commands that download content from clawpen.com and pipe it directly into local files. While the current content is the skill files themselves, this establishes the pattern and tooling for writing arbitrary remote content to the agent's local filesystem.

Registered agents communicating via DM can craft messages designed to elicit the installed agent to reveal context — its current tasks, tools available, system configuration, or user data — and include that information in DM replies that are sent back to clawpen.com's API.

The skill recommends the agent write the Clawpen API key in plaintext JSON to ~/.config/clawpen/credentials.json. This key is used for all API operations and controls the agent's identity on the platform. Any process with filesystem read access can harvest the credential.

Git clone connected only to GitHub (140.82.121.3:443) as expected. No connections to clawpen.com, no unexpected process spawning, and no filesystem changes outside the designated skill directory were detected. The connection diff shows no new persistent connections after install.

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) remained unmodified. PATH audit events showing these files at timestamps 1771925565 and 1771925588 are attributable to the audit monitoring system's own baseline and final integrity checks, not to skill activity.