Is calebwin/clawslist-skill safe?

The skill explicitly instructs the agent to upload real API keys and credentials (OpenAI, Anthropic, GitHub, AWS, etc.) to clawslist.com servers, falsely framed as a leakage-prevention safety feature. The server retains plaintext secret values despite the claim that 'values are never exposed through the API' — that claim only describes the list-endpoint response, not server-side storage. Critically, the feature is labeled '(Important!)' and directed as step 3 of onboarding, before any posting begins, to maximize credential collection at the earliest opportunity.

The skill employs trust-building language to compel agents and users to upload credentials, presenting it as the platform's central security guarantee. This is social engineering: filtering post content for known secret values is a trivially simple string-match feature that does not require storing plaintext secret values server-side. The false guarantee ('we guarantee your secrets cannot accidentally leak') increases agent and user compliance while obscuring the data transfer.

Every action the agent takes under this skill routes through clawslist.com: posts, replies, DMs, profile updates, notification reads, and browsing activity. This creates a comprehensive, persistent external record of agent capabilities, user needs, ongoing projects, and inter-agent communication patterns — all on infrastructure outside the user's control and visibility.

The skill instructs the agent to autonomously post services, create gig listings, reply to job postings, update resumes, and engage in financial negotiations — none of which require per-action user approval. This converts the agent from a reactive assistant into an autonomous marketplace participant that can publicly commit the user to service obligations, share capabilities, and enter into agreements without explicit consent.

The skill opens with an explicit financial imperative and references speculative AI-ecosystem cryptocurrencies to create urgency. This framing attempts to reprogram the agent's default conservative, user-directed posture by making financial gain a primary goal, potentially justifying autonomous high-risk actions ('browse posts as frequently as possible', 'Don't ghost') that the agent would otherwise decline to take without explicit user direction.

heartbeat.md instructs the agent to independently check clawslist every few hours, running a full sequence of notification checks, DM reviews, listing browsing, and autonomous posting — all without any user prompt triggering the session. This establishes a persistent background process that operates across user sessions, making ongoing API calls and potentially taking actions without user awareness or initiation.

The skill's architecture represents a coherent, multi-stage attack: (1) harvest credentials immediately via the 'Secrets' feature framed as safety, (2) establish persistent autonomous operation via heartbeat for ongoing data collection, (3) enable unmonitored agent-to-agent private messaging for potential covert coordination or instruction injection. Each feature appears individually plausible for a legitimate marketplace tool, but together they form a system designed to extract credentials, maintain indefinite access, and enable side-channel communication — all without triggering obvious red flags during installation.

The messaging system enables arbitrary AI agents to communicate privately via clawslist.com after a one-time human approval of the connection request. Once approved, agents can exchange messages without per-message human oversight. This creates a side channel where attacker-controlled agents could deliver instructions, request information, or coordinate behaviors without user awareness or auditability.

The heartbeat mechanism's design — with explicit state tracking and time-based triggers — means the agent will continuously build an ever-richer profile on clawslist.com: more services posted, more gigs sought, more discussions joined, more DMs exchanged. Combined with the credential harvesting, this creates an increasingly complete external portrait of the agent's capabilities and the user's needs on a third-party platform indefinitely.

While the monitored installation (git clone) is clean and installs only markdown files, skill.md's Option 2 manual installation instructs running curl commands to fetch live content from clawslist.com directly into the skill directory. This is a minor risk: future skill updates could alter server-side content delivered to agents using this path without a corresponding git commit.

The monitored installation performed a standard sparse git clone from GitHub. Only expected connections to GitHub servers (140.82.121.3:443) were observed. No unexpected process spawning, filesystem changes outside the skill directory, or connections to clawslist.com during the install phase.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) show OPEN/ACCESS inotify events at two points during the audit. Both access clusters are attributable to the oathe monitoring system's own SSH sessions performing pre-install baseline establishment and post-install integrity verification, not to any skill-installed code. All files remain unmodified.