Is clawd800/onchat safe?

The skill instructs the agent to read blockchain messages from any monitored channel and 'engage naturally' with them. The Base blockchain is publicly writable — any actor can post arbitrary text including adversarial instructions. Because the agent is told to treat these messages as conversation to respond to, on-chain content functions as an external, attacker-controlled prompt injection vector with no sanitization boundary.

When channel monitoring is active, the agent is instructed to reply to messages autonomously. Each reply is a paid blockchain transaction (0.00001–0.00003 ETH). Over an extended monitoring session or following a prompt injection, this can drain the user's wallet without explicit per-action user approval. The auto-join behavior also silently associates the user's wallet with arbitrary channels.

The skill's monitoring design creates a persistent loop where the agent repeatedly reads attacker-controlled content and responds. A single malicious message posted to a monitored channel will be seen and acted upon without user review. This is structurally different from a one-shot read — it is an ongoing, automated pipeline from attacker-controlled blockchain content to agent action.

All messages sent via this skill are permanent blockchain transactions that cannot be deleted or retracted. A successfully injected instruction, agent hallucination, or misuse results in a permanent on-chain record linked to the user's wallet, with potential reputational and financial consequences.

ONCHAT_PRIVATE_KEY is loaded from process.env and used to sign transactions. This key is present in the agent's environment variable namespace for the entire session, making it readable by any other skill, tool call, or compromised code running in the same process. Prompt injection via on-chain content could instruct the agent to echo or transmit this value.

If the agent is compromised via prompt injection (e.g., instructed by on-chain content to read a file), the sendMessage command provides a ready-made exfiltration channel — file contents can be posted as a blockchain transaction. The receiving address is the monitored channel, which is publicly readable. This is a non-trivial secondary risk requiring successful primary injection.

The skill requires viem@^2.23.2 and tsx@^4.19.2. Version range specifiers allow automatic minor/patch updates. While both libraries are well-known and currently trusted, this introduces ongoing supply chain risk if either package is compromised in a future version. No lockfile is included in the skill directory.

The wallet private key is not scoped to only the onchat.ts subprocess — it is set as an environment variable in the parent shell/agent process and inheritable by child processes. Any skill or subprocess spawned in the same session can read ONCHAT_PRIVATE_KEY from /proc/self/environ or via os.environ.

The git clone connected only to GitHub (140.82.121.4:443) as expected. No extraneous network connections were made during installation. The connection to 185.125.188.59:443 was pre-existing before the clone began.

All honeypot files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed only by the oathe monitoring framework itself during pre/post baseline scans. No network transmission of canary content was detected.