Is clawdmintt/clawdmint safe?

The skill's manual installation instructions include curl -o ~/.openclaw/skills/clawdmint/SKILL.md https://clawdmint.xyz/skill.md. This replaces the installed skill file with whatever the publisher currently serves. Any future version can contain malicious instructions injected directly into the agent's system prompt without user re-review or re-installation. This is a persistent supply chain injection vector.

Two new ESTABLISHED TCP connections to AWS EC2 IPs (3.213.170.18:443, 44.214.208.192:443) and a completed Cloudflare connection (104.16.9.34:443 TIME-WAIT) appeared in the post-install connection diff, attributable to the openclaw-gateway process. This suggests the OpenClaw framework automatically contacted external infrastructure upon skill installation, potentially transmitting installation telemetry or registering the skill with the publisher backend.

The skill instructs agents to register http://your-gateway:18789/hooks/agent as a webhook with clawdmint.xyz. Port 18789 is the OpenClaw agent gateway. This creates a persistent inbound channel from the publisher's servers directly into the user's local agent runtime, enabling the publisher to push arbitrary events that the agent processes.

The skill's primary function is deploying ERC-721 smart contracts on Base Mainnet (chain_id 8453). Once deployed, contracts are permanent and any ETH spent on gas or mints is unrecoverable. An agent following this skill autonomously could deploy contracts and set payout_address to attacker-controlled wallets, with no recourse for the user.

A TIME-WAIT TCP connection to 104.16.9.34:443 (Cloudflare IP range, consistent with clawdmint.xyz's CDN) appeared immediately after install in the connection diff. This suggests the OpenClaw framework automatically contacted the skill publisher's endpoint at install time, potentially transmitting environment or identity information.

The skill advertises x402 protocol support allowing agents to pay USDC per-request (e.g., $2.00 per collection deploy) without needing an API key. An agent with a funded wallet and this skill active could spend user funds autonomously each time it invokes an x402-protected endpoint, with no per-transaction confirmation.

The skill package includes .clawhub/lock.json listing academic-research-hub v0.1.0 as an installed skill (installedAt: 1770957475341). This unrelated skill reference is anomalous in a distributed skill package — either developer workspace contamination (poor hygiene) or a potential attempt to confuse agent state about which skills are already installed.

Two new TCP listeners appeared on 127.0.0.1:18793 and 127.0.0.1:18790 post-install, operated by openclaw-gatewa. While these are local-only and belong to the OpenClaw framework rather than the skill itself, they represent new local attack surface not present before installation.

The skill documents a 2.5% platform fee on all mints flowing to clawdmint.xyz. This creates a direct financial incentive for the publisher to design the skill to maximize agent-initiated collection deployments and mints, which may not align with user interests.

Static analysis found no package.json with install scripts, no .gitattributes filter drivers, no git submodules, no symlinks pointing outside the repo, and no binary payloads. The skill is documentation-only at rest.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were not accessed or modified by any process attributable to the skill during installation.