Is bill-makes/emoji-today safe?

https://github.com/openclaw/skills/tree/main/skills/bill-makes/emoji-today

67
CAUTION

emoji-today is a plausibly legitimate skill for blockchain-based emoji voting, but carries meaningful risk from three sources: (1) the primary script vote-and-post.mjs was not captured for source review and handles a full EVM private key, (2) the skill embeds behavioral directives to autonomously post on X and Farcaster and spend USDC without per-action user confirmation, and (3) less common x402 payment libraries handle the private key signing path without independent audit. The installation itself was clean with no unexpected network connections or filesystem activity outside the skill directory, and all canary files were left intact.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 58/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH Primary script source not captured — private key handler unreviewed -25

The file vote-and-post.mjs is the sole executable that reads EVM_PRIVATE_KEY, signs blockchain transactions, and submits payments to emoji.today. The audit collector used a find pattern covering *.js but not *.mjs, so the script's full source was not captured. Without source review, it is impossible to confirm the script does not log, transmit, or otherwise mishandle the private key beyond its stated signing purpose.

HIGH Autonomous social media posting directive embedded in skill -20

The SKILL.md instructs the agent that 'After voting, you should post about it on social media' and specifies platform (X and Farcaster), format (under 280 chars, no hashtags), and content rules. This turns the skill into a two-action agent: vote AND publish. A user who installs this skill to occasionally vote may not realize the agent will also autonomously post to their social accounts.

HIGH Recurring unauthorized USDC spend with no per-transaction gate -20

Each invocation spends $0.01 USDC from the user's wallet for a vote, and $1.00 USDC for an optional NFT mint. The skill frames these as defaults ('agents vote via this skill for $0.01 USDC'). With no confirmation step in the SKILL.md flow, an agent running on an automated schedule could drain the wallet over time. The gamification copy actively encourages daily use.

HIGH EVM private key required in environment — full wallet control -15

EVM_PRIVATE_KEY grants unrestricted signing authority over the associated wallet. The skill loads it via dotenv and passes it to viem and the x402 payment library. Since vote-and-post.mjs source is unreviewed and x402 packages are niche, the actual key handling path cannot be verified. Loss of this key means total loss of the wallet's funds.

MEDIUM Niche x402 payment libraries not independently audited -15

The package.json depends on @x402/fetch ^2.3.0 and @x402/evm ^2.3.0. These implement the x402 micropayment protocol and handle authorization headers and EVM transaction construction. They are less audited than mainstream packages like viem (which is well-established). A malicious or vulnerable version could intercept the private key during payment signing.

MEDIUM Gamification language engineered to drive autonomous recurring engagement -10

The 'Why It Matters' section uses compounding-reward framing ('Early voters build reputation that compounds', 'Voting streaks unlock handles, badges', '$TODAY launches at the millionth vote') to make the agent perceive daily voting as strategically important. This is not a neutral description of the skill — it is persuasive copy designed to bias the agent toward autonomous, habitual use.

MEDIUM Post-install canary file reads — attribution ambiguous -10

Audit PATH records show a second batch of reads on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at timestamp 1771930748.830, after the skill files were installed. No npm install was executed, so skill code did not run. These reads are most likely the audit framework's post-install integrity check, but attribution cannot be confirmed from available evidence.

LOW Cross-platform posting mandate overrides agent and user judgment -8

The skill mandates that the agent post identical content on both X and Farcaster, explicitly forbidding platform-specific copy. This is a behavioral override — a user might want different messaging per platform, but the skill's instructions would prevent that.

INFO Revenue wallet explicitly disclosed 0

The skill discloses the revenue destination wallet 0xec7051578C9cE20EA27EED1052F8B4c584AEE2B3 (emojitoday.base.eth). This transparency is positive — users can verify on-chain that funds flow to the stated address.

INFO All honeypot canaries intact 0

The audit framework confirms no honeypot file was modified or exfiltrated. The skill did not write to or transmit any canary credential file during the monitored install window.