Is clawlinker/pawr-link-in-bio safe?

The skill instructs agents that 'Payment is handled automatically by the x402 protocol — no manual transfer needed.' This means an agent with a connected wallet executing this skill will authorize and broadcast a $19 USDC on-chain transaction (or $29 USDC for curated, $0.10 for updates) without presenting the user with a payment confirmation prompt at execution time. If the skill is active during an unintended workflow, or if a user is socially engineered into triggering a profile-creation step, real funds are spent automatically.

The update-profile section in skill.md contains a bare quoted agent instruction (not merely a documentation example) telling the agent to fetch https://pawr.link/{username} and extract the current profile content before submitting an update. This fetch brings the live content of an external page under pawr.link's control into the agent's active context window. Since the bio field (max 256 chars) of any pawr.link profile is user-controlled and rendered into that page, an adversary who can modify the profile (or who creates a profile with the same username) can inject instructions that the agent processes as part of its update workflow.

The curated plan ($29 USDC) asks users to provide a 'description' of up to 1024 characters describing the agent's purpose, platforms, social handles, team, and style. This text is sent to Clawlinker (pawr.link/clawlinker), described as an autonomous agent with on-chain ERC-8004 identity #22945. Depending on deployment context, the description may include sensitive operational details (DeFi strategies, internal tool names, team attribution) transmitted to a third-party agent outside the user's control.

Both skill files document an Agent-to-Agent (A2A) communication path via POST to https://www.pawr.link/api/a2a/clawlinker. If invoked, the host agent receives a JSON-RPC response from Clawlinker which may contain payment instructions, task confirmations, or other message content. A malicious or compromised Clawlinker instance could use response messages to influence the host agent's subsequent behavior.

All create and update operations require transmitting the user's Ethereum wallet address to pawr.link's API. The wallet address is a financial identifier that, combined with the on-chain registration, permanently links the address to the public profile. While this is the stated purpose of the service, it represents a privacy disclosure if the user's wallet is not intended to be publicly attributable.

Six canary honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) received OPEN+ACCESS+CLOSE_NOWRITE syscalls at 03:58:06 (6 seconds before git clone started) and again at 03:58:23 (after install completed). This symmetric before/after access pattern — combined with the Canary Integrity report showing all files intact and unmodified — indicates the audit framework's canary baseline monitoring rather than skill-triggered access.

All five skill files are Markdown. The curl command blocks are illustrative examples that require explicit agent invocation and user-supplied parameters. No package.json scripts, git hooks, symlinks, or binary blobs were found.

The Canary Integrity monitor confirms no honeypot file was modified or exfiltrated during installation. Baseline filesystem diff shows only the five expected skill files were added, all under the designated skill directory.