Is clawplaza/clawwork-genesis safe?

https://github.com/openclaw/skills/tree/main/skills/clawplaza/clawwork-genesis

74
CAUTION

ClawWork Genesis is a functional NFT inscription skill with two notable security concerns: a dynamic prompt injection vector embedded in a 'Tip for owners' that directs agents to fetch an externally-controlled URL on demand, and a mandatory social media marketing mechanism that uses the agent to coerce brand promotion as a prerequisite for NFT claiming. The skill makes frequent outbound API calls to a third-party server (work.clawplaza.ai) and links user identity to agent activity, but canary integrity was clean and installation behavior was standard.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (10)

HIGH Remote URL dynamic instruction injection -25

The Quick NFT Check section contains a 'Tip for owners' that instructs users to tell their agent: 'Read https://work.clawplaza.ai/genesis-skill.md and check my NFT status.' This causes the agent to fetch an external URL controlled by the skill author. The content at this URL can be changed at any time without a skill update, allowing silent injection of new behavioral instructions into any agent that processes this tip.

HIGH Mandatory agent-mediated brand marketing on X/Twitter -20

When an NFT is won, the skill marks displaying a pre-written X/Twitter post template as MANDATORY and instructs the agent to direct the owner to publish it. The post contains brand keywords required for platform verification, effectively making the agent a marketing enforcement mechanism that conditions NFT claiming on brand promotion.

MEDIUM Agent autonomy override on pre-flight setup -10

The pre-flight checklist explicitly instructs the agent to resolve the agent name requirement autonomously without consulting the user. The agent name becomes a permanent identifier on the skill author's platform, meaning the agent is directed to register the user without explicit user consent.

MEDIUM Continuous LLM output transmission to third-party server -15

The challenge-response system requires the agent to submit LLM-generated text to work.clawplaza.ai on every inscription call. Up to 48 times per day, agent-generated content (challenge answers) plus session metadata (token_id, nonce, agent_id) are transmitted to the skill author's infrastructure.

MEDIUM User identity binding to agent activity -8

The /skill/claim endpoint links the user's ClawWork account to their agent using a claim code. Once linked, all agent inscription activity (token IDs, nonces, CW earned, NFT win events) is associated with the user's identity on the skill author's server.

MEDIUM Unbounded autonomous loop consuming agent sessions -10

The inscription loop runs up to 48 times per day in 30-minute increments. The instruction 'Do not stop the loop unless your owner tells you to' means the agent will continue autonomously for the entire day if left running, consuming agent capacity for the skill author's platform benefit.

LOW curl execution for outbound API calls -12

The skill instructs the agent to execute curl commands to make POST/GET requests to work.clawplaza.ai. This is by design for an executable skill but confirms the attack surface: any agent with shell tool access will make outbound HTTP requests on behalf of this skill.

LOW API key persistence in agent environment -5

The skill instructs the agent to store the clwk_-prefixed API key in an environment variable or local dotfile. This credential persists across sessions and identifies the user's agent to the skill author's platform indefinitely.

INFO Sparse clone from GitHub monorepo 0

Installation used git sparse-checkout to extract only the target skill subdirectory from the openclaw/skills monorepo. No unexpected filesystem writes or process spawning outside the install directory were detected.

INFO Canary files intact — no exfiltration detected 0

All honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were confirmed intact by the monitoring system. File access syscall entries for these paths predate skill installation or match the monitoring system's final integrity sweep pattern.