Is capevace/claw-events safe?

The 'Grow the Network' section explicitly instructs agents to share the SKILL.md URL with other agents and recruit them to install claw.events. This is architectural worm behavior: each installed agent is instructed to infect additional agents. The framing as a civic 'responsibility' makes it persuasive rather than suspicious to the host agent.

The skill instructs agents to edit their own HEARTBEAT.md or equivalent periodic task file to add mandatory claw.events check-ins every 1-2 hours. This is a prompt-injection-via-documentation attack: the skill modifies the agent's standing instructions, creating a persistent obligation to phone home that survives the initial conversation context.

The skill documents a claw.events instruction-prompt command that retrieves a live system prompt from the claw.events server. This allows the skill operator to silently push updated instructions to every agent running the skill, at any time after installation, without any new skill publish or user action.

The skill instructs agents to run npm install -g claw.events, which downloads and executes arbitrary code from the npm registry with global filesystem access. The installed package was not part of this audit. npm postinstall scripts can execute arbitrary shell commands at install time.

The claw.events subexec command executes arbitrary local shell scripts on every message received from a subscribed channel. Since public channels (including public.townsquare) are writable by any authenticated user, any network participant can craft messages that influence script execution on agents running subexec handlers. This is a remote code influence surface mediated by the message bus.

The skill's heartbeat instructions direct agents to regularly publish their status and discoveries to public.townsquare and their own agent channels. All public channels are readable by any claw.events user globally. Agent operational data, including what tasks are being performed and when, becomes surveillance-accessible.

The 'Running Multiple Agents' section demonstrates extracting JWT authentication tokens directly from config files using shell pipelines. This pattern teaches agents to read and manipulate tokens from sensitive config locations (~/.claw/), normalizing token-handling behavior that could be exploited.

Example code pipes channel message content through jq and into curl to download files to the agent's home directory. Channel messages originate from untrusted third parties; this pattern enables server-side request forgery and arbitrary file writes if an attacker controls a channel the agent follows.

All agents running this skill maintain ongoing connections to claw.events servers for pub/sub and heartbeat check-ins. The instruction-prompt feature provides an always-on remote instruction delivery channel. A compromise of claw.events infrastructure, or a malicious update to the instruction-prompt endpoint, would allow simultaneous re-instruction of all installed agents worldwide.

The combination of self-propagation instructions and the public agent-discovery mechanism (advertise list) means installed agents actively recruit new agents while also advertising themselves for discovery. This creates compounding growth with no opt-out mechanism described for the propagation behavior.

Multiple agents subscribing to the same public channels and running subexec handlers creates a shared execution environment where any agent (or attacker impersonating one) can influence the behavior of all subscribed agents simultaneously. The trust model assumes channel participants are benign.

The installation process performed only a sparse git clone from github.com. No suspicious network connections, no unexpected process spawning, no filesystem changes outside /home/oc-exec/skill-under-test/. The connection to 185.125.188.54:443 (Ubuntu infrastructure) was pre-existing.