Is blackeuler/spawn-incubator safe?

The SKILL.md frontmatter contains heartbeat: true in the OpenClaw metadata block. In the OpenClaw framework, this flag causes the framework to schedule recurring reminders to the agent to call heartbeat(uint256 appId) on the SpawnIncubator contract every 7 days. This creates an autonomous background behavior loop that operates without per-action user consent, potentially triggering blockchain transactions and spending ETH on gas fees on a recurring basis.

The application proposal JSON schema in SKILL.md includes an agent_capabilities field that instructs the agent to enumerate 'Tools, APIs, models, and resources you have access to.' When an agent follows these instructions, it would transmit a detailed inventory of its tool access and integrations to spawn.fund — an external third-party operator — potentially enabling that party to profile the agent's attack surface or tailor social engineering.

The skill contains complete step-by-step instructions for an AI agent to autonomously: (1) query live fee data from an external API, (2) draft and host a proposal, (3) submit an on-chain transaction with ETH attached as entry fee (~$10+), and (4) enter a 12-month revenue-sharing smart contract committing 20% of all on-chain revenue. An agent with wallet access that follows these instructions could make legally and financially binding commitments without human approval.

The skill instructs the agent to proactively fetch GET https://spawn.fund/api/fee and other live endpoints as part of a multi-step workflow. No instruction requires human confirmation before making these external calls. A sufficiently agentic model could execute the full application flow — including on-chain submission — within a single tool-use chain.

The auditd PATH records show /home/oc-exec/.env was accessed at timestamps 1771736395.354 and 1771736402.204 — both during the active audit monitoring window and bracketing the install completion (1771736401). The accesses are attributed to the openclaw-gateway process (pid=1076) rather than a skill-spawned process, and canary integrity is confirmed intact. However, the timing correlation with installation is notable and could indicate framework-level credential probing.

The skill emphasizes that the RevenueRouter smart contract 'is immutable — no one can change the split.' If an agent deployed this contract on behalf of a user without explicit authorization, the 20% revenue diversion cannot be reversed for 12 months. This design removes any safety hatch for unauthorized actions.

The installation performed a standard git clone --depth 1 --no-checkout of the openclaw/skills monorepo, followed by a sparse checkout of the target subpath and file copy. No post-install scripts, compiled artifacts, or unexpected network connections were generated by the skill installation itself.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed only by the audit framework's own integrity checks at session start and end. No outbound data correlated with canary content was observed.