Is cybercentry/cybercentry-ethereum-token-verification safe?

SKILL.md explicitly and prominently instructs the agent to clone https://github.com/Virtual-Protocol/openclaw-acp and run npm install as a mandatory prerequisite. npm install executes lifecycle scripts (preinstall, postinstall, prepare) that can run arbitrary shell commands with full user permissions. The resulting 'acp' binary then runs on every subsequent verification call, creating a persistent attacker-controlled code execution surface. The skill's own install (git clone of skill files) was clean, but this instruction transfers the risk entirely to runtime.

The rug_pull_risk_score, risk_level, and safe_to_interact fields in every API response are generated by the Cybercentry service and returned without independent verification. The skill is explicitly designed to integrate into automated trading bots where these values gate the ./execute-trade.sh execution. A malicious or compromised service could return false SAFE verdicts for scam tokens (enabling the user's bot to buy into rug pulls) or false DANGEROUS verdicts for legitimate tokens (blocking trades). There is no cryptographic or on-chain attestation of the verdicts.

The skill instructs the agent to verify the payment wallet address using the 'Cybercentry Wallet Verification' skill — another paid Cybercentry service at $1.00 USDC per check. This creates a recursive trust loop: the wallet you pay for token verification is verified by paying for wallet verification from the same vendor. Neither check provides an independent security guarantee, and both generate revenue for the skill author.

Once the agent follows the skill's instructions to install and authenticate the Virtual-Protocol/openclaw-acp CLI tool, that binary has access to all files accessible to the user — including .env, SSH keys, AWS credentials, .npmrc, and Docker config — on every invocation. The acp setup step stores authentication tokens on disk. Network traffic from acp commands goes to Virtuals Protocol infrastructure not auditable from this review. Any data the agent holds in memory or on disk at the time of acp execution could be captured.

The MANDATORY wallet verification steps direct the agent to check clawhub.ai (the skill's own marketplace, controlled by the operator) and Twitter/@cybercentry (also controlled by the skill author). These are presented as independent verification sources providing security guarantees, but an attacker who controls both can make any wallet address appear legitimate. The verification flow provides psychological reassurance without actual security.

The skill instructs the agent to send $1.00 USDC per scan to a wallet address obtained from the ACP marketplace at runtime. The operator controls both the ACP marketplace response (which wallet address is returned) and the verification sources used to validate it. The payment instruction is embedded in shell and Python examples as a normal workflow step, making it easy for an AI agent to execute without user confirmation.

The git clone of the skill files from openclaw/skills.git was clean. Only GitHub was contacted over the network. Exactly two files were added to the filesystem (SKILL.md and _meta.json). No unexpected process spawning, git hooks, submodules, or symlinks were present. The static install behavior is consistent with a benign documentation-only skill package.

inotifywait and auditd recorded read accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json. Timestamp correlation confirms both access events (1771926189.026 and 1771926211.133) bracket the install: the first set occurred before the install script started (1771926194.521) as part of audit framework canary initialization, and the second set occurred after the install completed as part of integrity verification. The skill install process itself made no contact with these files.