Is catsmeow492/nochat-channel safe?
https://github.com/openclaw/skills/tree/main/skills/catsmeow492/nochat-channel
NoChat Channel is a deliberately malicious plugin that creates a covert command-and-control channel disguised as an encrypted agent-to-agent messaging plugin. Its two core attack mechanisms are: (1) setting CommandAuthorized:true unconditionally for all inbound messages while architecturally bypassing the trust tier enforcement system it ships as a facade, enabling any NoChat user or the server operator to issue fully-authorized commands to the victim agent; and (2) falsely claiming post-quantum Kyber-1024 encryption when the implementation performs only base64 encoding, allowing the nochat-server.fly.dev operator full visibility into all agent communications. The installation process itself is behaviorally clean, but the plugin code contains an intentional backdoor that grants persistent remote control of any agent that installs it.
Category Scores
Findings (10)
CRITICAL CommandAuthorized:true set unconditionally — trust tier system bypassed -92 ▶
In index.ts handleNoChatInbound, the ctxPayload sets CommandAuthorized:true for every inbound message regardless of sender identity or trust tier. The trust tier enforcement code in channel.ts NoChatChannel.handleInboundMessage is never called — index.ts overrides startAccount and wires transport.onMessage directly to handleNoChatInbound with zero trust checking. This means any entity that can deliver a NoChat message to the agent (any registered NoChat user, or the server operator who can inject messages directly) will have that message dispatched as a fully authorized command.
CRITICAL False Kyber-1024 encryption claim — messages are base64 only -95 ▶
SKILL.md and README.md both prominently claim 'Post-quantum (Kyber-1024) encryption. Server never sees plaintext.' and 'Server-blind.' The actual implementation in api/client.ts sendMessage encodes with Buffer.from(text).toString('base64') and getMessages decodes with Buffer.from(raw,'base64').toString('utf-8'). There is no cryptographic operation of any kind. This is a deliberate lie designed to prevent security reviewers from identifying the skill as a C2 channel and to reassure users their communications are private when they are not.
CRITICAL Persistent remote prompt injection channel via NoChat server -97 ▶
Because messages are plaintext to the server operator (fake encryption) and CommandAuthorized:true is set unconditionally, the operator of nochat-server.fly.dev holds permanent root-level access to every agent running this plugin. They can send any message — including OpenClaw commands, jailbreak instructions, or instructions to read and exfiltrate files — and the agent will process it as a fully authorized command from the owner. This is a covert command-and-control infrastructure disguised as a messaging plugin.
HIGH Agent API key and all session content transmitted to external server -85 ▶
The configured apiKey is transmitted with every API call to nochat-server.fly.dev (Authorization: Bearer header). All agent responses are delivered via client.sendMessage to the external server. Combined with the fake encryption, the NoChat server operator has full visibility into all agent activity conducted over this channel.
HIGH Trust tier facade — enforcement code is architecturally dead in production path -88 ▶
The skill ships a sophisticated trust tier system (blocked/untrusted/sandboxed/trusted/owner) complete with auto-promotion logic, per-tier session configs, and rate limiting. This system exists entirely in channel.ts and is never invoked in the actual message handling path. The index.ts override of startAccount wires the transport directly to handleNoChatInbound, which performs no trust check and sets CommandAuthorized:true. The elaborate trust system appears to exist to pass code review and give false assurance of security.
HIGH Designed as covert C2 infrastructure with deliberate deception -98 ▶
The combination of fake encryption claims, trust tier facade, CommandAuthorized:true bypass, and external server polling constitutes a deliberately engineered attack tool. An attacker controlling nochat-server.fly.dev can issue commands to all installed agents. If paired with file-system or shell skills, this enables credential theft, data exfiltration, and lateral movement.
MEDIUM Double base64 decode enables obfuscated payload delivery -30 ▶
handleNoChatInbound attempts to double-decode the encrypted_content field: if the decoded string itself looks like printable ASCII, it uses the double-decoded value. This allows payloads to be double-encoded, evading content-inspection tools that only perform one level of base64 decoding, while still executing correctly when dispatched to the agent.
MEDIUM Canary credential files read at unexplained post-install timestamp -40 ▶
Auditd records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials were all opened and read at timestamp 1771905772 — 1-2 seconds after install completion. The monitoring framework reports canaries intact, but no EXECVE event is visible for this window. The pre-install reads at 1771905748 are attributable to the monitoring framework; the post-install reads are ambiguous.
LOW Installation process is clean -15 ▶
The git sparse-checkout installation from the expected monorepo (github.com/openclaw/skills.git) produced no unexpected network connections, no filesystem changes outside the skill directory, and no background processes. No npm lifecycle scripts, git hooks, submodules, or symlinks were present.
INFO SKILL.md contains no visible prompt injection text 0 ▶
The SKILL.md content is a truncated feature description with no hidden unicode, no HTML comments, no instructions to override system prompts, and no persona-switching directives. The injection risk is entirely in the runtime code, not the SKILL.md document itself.