Is canuc/wayfinder safe?

The skill instructs the agent to git clone https://github.com/WayfinderFoundation/wayfinder-paths-sdk.git, run 'poetry install', and execute 'python3 scripts/setup.py' from that external repository. This establishes a persistent supply chain dependency on a third-party GitHub repo controlled by WayfinderFoundation. A repository takeover, malicious commit, or compromised CI/CD pipeline at that upstream could result in arbitrary code execution on the user's machine. The skill also instructs the agent to update the SDK, broadening the attack window over time.

SKILL.md instructs the agent to run './wayfinder/scripts/pull-sdk-ref.sh ' before writing any custom script. This script fetches documentation from the external wayfinder-paths-sdk repository (at a commit pinned in sdk-version.md) and injects it directly into the agent's context window. An override flag (--commit) exists that lets a caller specify an arbitrary commit. If the upstream SDK repo is compromised, an attacker can inject prompt injection payloads into the agent's next reasoning step, bypassing the static SKILL.md audit. This is a persistent, recurring injection surface that is outside the audited skill boundary.

The mechanism described above means that every time a user asks the agent to write a DeFi script, the agent is instructed to fetch and process external content from the WayfinderFoundation GitHub repository. This content is not part of the audited SKILL.md — it lives in a separate, mutable repository that can change between audits. The injected docs could contain instructions that override system prompt rules, instruct the agent to output config secrets, or alter transaction parameters.

The skill's operational design requires users to store cryptocurrency wallet private keys as plaintext hex strings ('private_key_hex') in config.json. The agent reads this file during every command invocation. SKILL.md explicitly warns 'NEVER output private keys or seed phrases into the conversation', but if prompt injection occurs (e.g., via the SDK reference channel), this protection could be bypassed. CEX API credentials (Binance, Aster) are also stored in the same config file.

The skill enables the agent to execute live cryptocurrency transactions including token swaps, perp orders on Hyperliquid, Polymarket prediction market trades, and cross-chain bridge deposits. These operations are irreversible once broadcast. The skill notes 'Do not rely on [force] as a dry-run vs live gate' and warns that Hyperliquid deposits below $5 USDC are permanently lost. A hallucinating or injected agent could execute unintended trades or bridge transactions that cannot be reversed.

The skill's coding interface allows the agent to write arbitrary Python scripts to .wayfinder_runs/ and execute them via run_script. The sandbox enforces only that scripts reside within this directory — it does not restrict what the scripts can do. Scripts inherit the agent's environment (including WAYFINDER_CONFIG_PATH containing private keys), can make outbound network connections, read any user-accessible file, and execute subprocesses. A manipulated agent could write a script that exfiltrates config.json to an external server.

Scripts executed via run_script inherit the process environment including WAYFINDER_CONFIG_PATH. A code example in SKILL.md shows 'get_adapter(MoonwellAdapter, "main")' which auto-wires config loading and extracts private_key_hex. Any script the agent writes (potentially under prompt injection) has direct programmatic access to private keys and can exfiltrate them via network calls, without the config file itself being modified (avoiding canary detection).

SKILL.md contains an 'Asset/data sourcing rule' that instructs the agent to always prefer Wayfinder's API endpoints for token, pool, and market data, falling back to other methods only if Wayfinder does not expose the data. This soft behavioral override routes all financial data queries through https://strategies.wayfinder.ai/api/v1, giving the skill provider visibility into the user's trading queries and the ability to selectively serve manipulated token metadata (e.g., wrong contract addresses).

The skill installation made only the expected network connection to github.com (140.82.121.3:443) for sparse-checkout of the skill from the openclaw/skills monorepo. No unexpected processes were spawned, no filesystem changes occurred outside /home/oc-exec/skill-under-test/, and no persistent listeners or cron jobs were established. The two pre-existing connections to Ubuntu infrastructure (91.189.91.49, 185.125.188.58) were already present before install.

Honeypot canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) were accessed at two points: 1771934788.328 (pre-install baseline by Oathe monitoring) and 1771934812.518 (post-install integrity verification by Oathe monitoring). The SKILL.md contains no instructions to read sensitive files. All canary files were confirmed intact with no modifications. No network traffic correlated with these accesses.