Is benschiller/clawdio-twitter safe?

https://github.com/openclaw/skills/tree/main/skills/benschiller/clawdio-twitter

91
SAFE

Clawdio is a documentation-only skill with no executable code, no git hooks, no submodules, and no adversarial content in SKILL.md. The installation process made only expected connections to GitHub. All canary files remained intact. The primary risk is not technical malice but inherent design: the skill enables autonomous real USDC spending ($1.49/report on Base Mainnet) and injects verbatim server-controlled content (transcripts) into the agent context, creating secondary prompt injection and unauthorized spending vectors at runtime.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

MEDIUM Real Cryptocurrency Spending Without Per-Transaction Confirmation -20

The skill instructs agents to autonomously execute USDC payments on Base Mainnet at $1.49 per report via the x402 protocol. An agent tasked with broad research objectives could make numerous purchases without explicit per-transaction user approval, accumulating real financial costs. The x402 flow is designed to be transparent to the agent, removing friction that would otherwise prompt human review.

MEDIUM Secondary Prompt Injection via Server-Controlled API Responses -12

The skill instructs the agent to fetch and process content from clawdio.vail.report endpoints. Both /catalog (free, unauthenticated) and /catalog/purchase responses contain server-operator-controlled content that is injected into the agent's context. If the server is compromised or operated maliciously, it could embed adversarial instructions in catalog abstracts or transcript content. Verbatim Twitter Space transcripts are particularly high-risk as they capture arbitrary spoken content from untrusted third parties.

LOW Financial and Market Advice Context Risk -10

The skill is explicitly framed around extracting 'crypto alpha', 'trading signals', and 'market sentiment' from audio content. This positions the agent to act on or relay unverified financial intelligence sourced from a $1.49 paid endpoint. The framing may cause agents to treat purchased content as authoritative market data.

LOW Query Pattern Exposure to External Server -8

Every catalog browse and purchase request reveals to the server operator which Twitter Spaces the agent (and by extension the user) is interested in, timestamps of queries, and potentially agent behavioral patterns. While not exfiltration of host credentials, this constitutes user behavioral data flowing to a third-party commercial service.

INFO No Executable Code Present 0

The skill contains zero executable content. All files are documentation markdown and a metadata JSON. No npm scripts, git hooks, build systems, or compiled artifacts exist.

INFO Clone Limited to Expected GitHub Connection 0

Network monitoring during installation shows only a connection to 140.82.121.3:443 (GitHub), which is expected for a git clone from github.com/openclaw/skills. No exfiltration, unexpected C2 connections, or out-of-band network calls were observed.

INFO Canary File Accesses Attributed to Audit Framework 0

Filesystem events show access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. These accesses occur before the git clone begins (timestamp 1771918822 vs clone start at 1771918827) and again post-install, consistent with the audit framework's own canary setup and integrity verification operations. The canary integrity check confirms all files are intact.