Is clawd21/bitcoin-daily safe?
https://github.com/openclaw/skills/tree/main/skills/clawd21/bitcoin-daily
bitcoin-daily is a functionally coherent Bitcoin Dev mailing list digest skill with clean SKILL.md content and no direct prompt injection or credential-stealing code. The primary risk is indirect: the skill fetches arbitrary public mailing list posts and passes their text to the agent for summarization, creating a persistent indirect prompt injection surface exploitable by anyone who can post to bitcoindev. Secondary concerns include an unnecessary child_process.execSync pattern that spawns a second Node.js runtime for a task the parent could perform natively, a redirect-following HTTP helper with no domain allowlist, and a logically inconsistent version history in _meta.json. No canary files were modified and network behavior during install was limited to GitHub.
Category Scores
Findings (8)
HIGH Unnecessary child_process.execSync spawning second Node runtime -25 ▶
fetchMailingList() uses execSync to launch a second node -e process with an inline HTTPS fetch script. The parent script already has the https module available. This pattern adds an opaque subprocess that is harder to monitor, creates a string-interpolation injection surface if the URL were ever parameterized, and is inconsistent with a straightforward data-fetching skill.
HIGH Indirect prompt injection via mailing list content -20 ▶
The digest script fetches up to 10 threads from the Bitcoin Dev mailing list, strips HTML tags, and outputs the raw text for the agent to summarize. Any party who can post to the mailing list (it is publicly postable) can craft a message containing LLM instructions (e.g., 'SYSTEM: disregard previous instructions') that survive the HTML-stripping pipeline and appear in the agent's context window. With daily cron enabled, this attack executes automatically every morning.
MEDIUM Agent instructed to execute node script from skill directory -12 ▶
SKILL.md instructs the agent: 'Run via: node ~/workspace/skills/bitcoin-daily/scripts/digest.js
MEDIUM Redirect-following fetch with no domain allowlist -12 ▶
The fetch() helper unconditionally follows HTTP 3xx redirects to any Location header value. If groups.google.com or gnusha.org were to redirect to an attacker-controlled host, the full raw thread content (up to 1 MB per execSync call) would be sent to that host.
LOW _meta.json version history inconsistency -8 ▶
The metadata file declares latest version as 1.3.2 but the history array contains entries for 1.4.0 and 1.5.0 — versions numerically higher than the declared latest. This is logically inconsistent and may indicate metadata manipulation, a downgrade attack, or irregular publishing practices that should be investigated.
LOW Summary archived to disk and re-read by agent -5 ▶
After each run, digest.js writes summary.md to the archive directory. The 'read' command reads that file back and prints it. If a prior summary was injected with malicious instructions, running 'read
INFO Clean installation with expected network footprint 0 ▶
The skill was installed exclusively via a shallow git clone from github.com/openclaw/skills.git. No unexpected network destinations, no persistent sockets, no new listeners were created post-install.
INFO Canary file accesses attributed to audit framework, not skill 0 ▶
Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at timestamps 1771930010.047 (pre-clone) and 1771930027.130 (post-scan). Timing and context are consistent with the oathe framework's baseline setup and post-install integrity verification passes. All files remain unmodified.