Is buzzbysolcex/buzz-bd safe?

https://github.com/openclaw/skills/tree/main/skills/buzzbysolcex/buzz-bd

72
CAUTION

The buzz-bd skill presents a CAUTION verdict primarily due to two unanalyzed executable scripts (buzz-scan.mjs, eliza-adapter.mjs) whose source was not captured in the audit evidence, making runtime behavior unverifiable. The SKILL.md itself is clean with no prompt injection, and canary file integrity was maintained throughout the session. Secondary concerns include the x402 autonomous micropayment protocol integration (a financial exfiltration vector if wallet credentials are accessible) and a bundled .clawhub/lock.json referencing a separate skill that should not appear in a published package.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 63/100 · 5%

Findings (7)

HIGH Executable script content unavailable for analysis -35

The skill ships two JavaScript modules (scripts/buzz-scan.mjs and scripts/eliza-adapter.mjs) that are invoked when the agent processes /buzz commands. The content of these files was not captured in the audit evidence, making it impossible to verify whether they read local files, exfiltrate data, or make unauthorized network requests during execution. These scripts are the primary attack surface of this skill.

MEDIUM x402 autonomous micropayment protocol integration -20

The skill documents support for the x402 protocol enabling autonomous USDC micropayments on Solana for premium intelligence access. While the skill states this is off by default, the presence of x402 infrastructure means agent-held wallet credentials or signing keys, if accessible, could be used to transfer funds autonomously. This is a financial exfiltration vector not present in most skills.

MEDIUM Post-install OpenClaw gateway established multiple new external connections -15

After skill installation, the openclaw-gatewa process (pid=1089) opened three new outbound HTTPS connections and two new localhost listening ports. While these are attributable to the OpenClaw framework rather than the skill directly, the skill's installation triggered this network activity. The destination IPs include Cloudflare (104.16.5.34), and two AWS endpoints (98.83.99.233, 3.213.170.18) that were not active pre-install.

LOW Unexpected .clawhub/lock.json bundled with skill referencing a different skill -10

The skill package contains a .clawhub/lock.json that records academic-research-hub v0.1.0 as an installed skill. This lock file should not normally be bundled inside a published skill — it suggests either the skill was packaged from an environment where other skills were installed, or this file was intentionally included. This could indicate the skill assumes or relies on co-installed skills.

LOW Sensitive credential files read twice during session by monitoring processes -12

auditd PATH records confirm .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials were accessed at two points during the session. Timing analysis places these accesses within the oathe monitoring framework's own baseline and post-install verification passes rather than skill code, but explicit process attribution was not captured.

INFO SKILL.md contains explicit trust statement and scope limitation 0

The skill includes a clear trust statement identifying the only external endpoint (api.dexscreener.com), an explicit list of actions it will NOT take, and no language attempting to override agent instructions or expand permissions beyond its stated purpose.

INFO No auto-execution mechanisms found 0

package.json contains no preinstall, postinstall, or prepare lifecycle scripts. No git hooks, .gitattributes filter drivers, git submodules, or symlinks pointing outside the repo were detected. The skill requires explicit agent invocation to execute its scripts.