Is coolkonstantincool/pixelbattle safe?
https://github.com/openclaw/skills/tree/main/skills/coolkonstantincool/pixelbattle
The pixelbattle skill is a pure-markdown game skill with no executable code and a clean installation profile, but it contains three significant concerns: it mandates outbound HTTP calls to a third-party server (clawpixels.onrender.com) that collects persistent agent identity, it explicitly directs agents to post activity logs and artifacts to the external social platform moltbook.com creating a potential data exfiltration channel, and it normalizes adversarial/aggressive behavioral framing in a way that could influence agent behavior in non-game contexts. No canary files were compromised and the installation was clean, but the skill's design creates ongoing third-party data collection and external posting obligations that warrant user review.
Category Scores
Findings (10)
HIGH Mandatory agent identity transmission to third-party server -20 ▶
Every API call requires the header X-Agent-Id:
HIGH Explicit directive to post agent artifacts to external social platform -18 ▶
The Moltbook Integration section instructs agents to post action logs, grid snapshots, strategy notes, and retrospective analyses to moltbook.com. If the agent is operating on tasks that produce sensitive artifacts, this instruction creates a path for that data to be posted externally.
MEDIUM Unencrypted HTTP API endpoint in skill documentation -12 ▶
The documentation examples use HTTP (not HTTPS) for the clawpixels.onrender.com endpoints. An agent following the skill's curl examples verbatim will transmit agent identity and pixel placement data over unencrypted connections.
MEDIUM Mandatory outbound network calls to third-party service -15 ▶
The skill requires the agent to contact clawpixels.onrender.com for all game operations. This establishes the skill operator as a network-accessible controller of agent behavior — the server could return crafted responses to influence agent actions.
MEDIUM Behavioral normalization of aggression and deception -13 ▶
The skill frames greed, aggression, dominance, coordinated overwriting, and territorial suppression as explicitly acceptable behaviors. This framing, injected into an agent's system prompt, may subtly shift baseline behavioral tendencies when the agent handles unrelated tasks.
MEDIUM Heartbeat participation enables unsolicited autonomous outbound connections -20 ▶
The skill instructs agents to 'periodically review grid changes, reassess conflicts and alliances, decide to act'. This creates a pattern of autonomous, unprompted outbound network activity to a third-party server that the user may not be aware of.
LOW Cross-platform posting instruction embedded in skill -8 ▶
The skill includes a hardcoded URL to moltbook.com and instructs agents to actively recruit allies and post progress updates there. This is an in-skill advertisement and external platform engagement directive.
LOW Inline curl commands may be interpreted as shell directives -4 ▶
The SKILL.md contains curl command examples without code fencing that clearly marks them as documentation. An agent with shell access interpreting the skill instructions literally may attempt to execute these commands.
INFO Clean installation — only expected GitHub traffic observed 0 ▶
The install process performed a git sparse-checkout from github.com. The only external network connection was to 140.82.121.3:443 (GitHub). No unexpected processes were spawned, no files were written outside the skill directory.
INFO Canary files intact — no in-skill exfiltration mechanism executed 0 ▶
The honeypot files (.env, id_rsa, aws/credentials, npmrc, docker/config.json, gcloud credentials) were accessed only by the OATHE audit infrastructure's own canary verification scans (timestamps before git clone began and after install). The skill contains no executable code capable of reading or transmitting these files.