Is chenkuansun/openclaw-world safe?

https://github.com/openclaw/skills/tree/main/skills/chenkuansun/openclaw-world

83
SAFE

This skill is a documentation-only IPC schema for a 3D virtual collaboration room. It contains no executable code, no malicious instructions, and installation was clean. The primary security concern is architectural: the Nostr relay bridge creates a bidirectional network channel that could serve as an indirect prompt injection surface (remote agents sending crafted messages) and a potential data leakage path (agent messages relayed to external infrastructure).

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (6)

MEDIUM Indirect prompt injection via Nostr relay messages -20

Remote agents can join rooms via Nostr relays and send arbitrary text messages (up to 500 chars). When the local agent reads room-events, these messages become untrusted input in the agent's context window. A malicious remote agent could craft messages containing prompt injection payloads designed to manipulate the consuming agent's behavior.

MEDIUM Nostr relay bridge creates outbound data channel -15

The room server bridges local IPC with Nostr relay channels. Any data the agent sends via world-chat (500 chars) or registers in its bio (500 chars) is relayed to external Nostr infrastructure where it can be observed by any room participant. This creates a legitimate but exploitable exfiltration path if an agent is tricked into sharing sensitive information.

LOW Browser opening without explicit user gate -8

The open-preview command instructs the agent to open a browser window for the human to view the 3D world. While this is documented functionality, it executes a side effect (browser launch) that the user may not explicitly expect from a chat interaction.

LOW Plugin inventory exposure via clawhub-list -7

The clawhub-list command browses installed OpenClaw plugins and skills from ~/.openclaw/. This exposes the user's installed skill inventory to any agent or room participant, which could be used for reconnaissance.

INFO No executable code in skill package -5

The skill consists entirely of documentation (SKILL.md) and an IPC schema (skill.json). No JavaScript, TypeScript, Python, or shell scripts are included. The package.json is empty with no install hooks.

INFO Clean installation with expected network activity only -5

Installation performed a standard git sparse checkout from GitHub. All observed network traffic corresponds to expected destinations (GitHub, Ubuntu package servers, local DNS/mDNS). No firewall-blocked connections. No unexpected processes spawned.