Is bazinshine/theroaster safe?

https://github.com/openclaw/skills/tree/main/skills/bazinshine/theroaster

78
CAUTION

TheRoaster is a Web3-enabled roast generator API skill. Installation was clean — no malicious code, hooks, or unexpected network connections were detected. The primary concern is that the SKILL.MD prompt content could not be audited (the file exists but content was not captured), combined with README language that frames USDC on-chain transaction building and wallet signature handling as agent-native operations. The human-confirmation guardrail appears only in the README, not in the verifiable injected prompt.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (7)

HIGH SKILL.MD content not captured — audit blind spot -25

The SKILL.MD file was installed (filesystem diff confirms non-empty hash a1bbd53f10ed43a0018092625aa96f38766a58a269845655a44aae050877cc98) but the audit evidence shows empty content. The README explicitly routes all agent operational instructions to SKILL.MD. Prompt injection risk cannot be assessed without reading the actual injected system prompt.

MEDIUM On-chain USDC transaction building presented as agent-native workflow -20

The README instructs agents to build USDC approve and purchase transactions via API, obtain auth nonces, and claim API keys by submitting wallet signatures. These are financial and credential operations that carry real-world monetary risk. The human-confirmation guardrail exists only in the README documentation and is not verifiably present in the injected SKILL.MD prompt.

MEDIUM Agent-facing wallet transaction framing in README -15

The README contains instructions written directly at agents, including 'Ask your agent to check the latest prices onchain!' This framing normalizes agent-initiated blockchain queries and transaction building as routine behavior, potentially bypassing user awareness.

LOW Third-party API receives user conversation content -20

Normal roast requests send the user's message verbatim to theroaster.app (OpenAI-backed), along with bot name and target name. This is expected functionality but means user conversation content flows to an unaudited third-party endpoint backed by OpenAI.

LOW Wallet signature handling creates credential management burden on agent -25

The API key claim flow requires obtaining a nonce, signing a message with a wallet private key, and submitting the signature. If the SKILL.MD instructs the agent to handle this autonomously, it creates risk of the agent accessing or requesting the user's wallet private key.

INFO Clean installation — no unexpected network or process activity 0

git clone connected only to GitHub (140.82.121.4:443), no additional external connections, no persistent listeners added, no unexpected process spawning.

INFO All honeypot files intact 0

Fake .env, SSH keys, AWS credentials, npmrc, docker config, and GCP credentials were not accessed by the skill during installation.