Is canuto/codehooks-backend safe?

The skill explicitly enables agents to write and deploy arbitrary JavaScript to a live serverless backend with no human review gate. An agent with coho installed and CODEHOOKS_ADMIN_TOKEN set can deploy code that opens persistent outbound channels, exfiltrates data from prior tool calls or environment variables, or creates public webhook endpoints that accept attacker commands. The skill's own warning acknowledges this but does not restrict the capability.

The skill instructs agents to run coho prompt before any build task and copy the output into their active context as authoritative development instructions. This content is fetched live from codehooks.io/llms.txt. If the service is compromised, serves user-specific dynamic content, or is taken over, this becomes a direct prompt injection vector into the agent's working context without user visibility.

The skill enables deploying arbitrary JavaScript with full Datastore access, process.env access, and unrestricted outbound fetch(). An agent directed by a malicious user prompt could deploy code that reads environment variables (including CODEHOOKS_ADMIN_TOKEN or other secrets in the deployment environment), queries and exports database contents, or forwards data to attacker-controlled endpoints disguised as legitimate webhook integrations.

The workflow automation example accepts a callbackUrl from user-supplied request body and unconditionally POSTs internal workflow state (including task results and IDs) to it. If an attacker controls task input data, they can redirect sensitive workflow outputs to an arbitrary external endpoint. The pattern is presented as a recommended best practice, increasing the likelihood agents will replicate it.

The coho export command is documented without any access scoping, filtering, or rate-limiting guidance. An agent can invoke it to dump entire collections to stdout. In combination with other tool access (file write, clipboard, outbound requests), this enables bulk data exfiltration of all deployed backend data.

The skill references several external URLs the agent is expected to consult at runtime, including codehooks.io/llms.txt, codehooks.io/docs/cli, and GitHub template repositories. Each represents a secondary injection surface: if any URL serves dynamic or attacker-influenced content, the agent may receive and act on adversarial instructions framed as legitimate documentation.

Complete file inventory shows only SKILL.md, README.md, CLAUDE.md, _meta.json, .clawhub/lock.json, and four example JavaScript files. No package.json, no npm lifecycle scripts, no git hooks, no submodules, and no symlinks pointing outside the repository were present. Install process involved only git clone + sparse-checkout + file copy with no code execution.

Install network activity was limited to github.com (140.82.112.3:443) for the git clone. The new connections visible in the post-install socket diff to 34.233.6.177:443 (AWS EC2, likely OpenClaw backend) and 104.16.9.34:443 (Cloudflare) belong to the openclaw-gateway process (pid=1085) which was already running before the install, confirmed by its presence in the filesystem diff as /home/oc-exec/.openclaw-executor/gateway.pid.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json) were read at two timestamp clusters: 1771736467.626-628 (pre-clone baseline scan) and 1771736483.639 (post-install verification). Both clusters match the oathe audit framework's own scanning pattern. Canary integrity check confirms all files intact with no content modifications or exfiltration. Filesystem diff confirms no new files written to /home outside skill-under-test directory.