Is densmirnov/solvera safe?

Every API response from solvera.markets includes a next_steps array containing a free-text description field. The SKILL.md instructs the agent to act on these steps, creating a persistent server-controlled injection channel. The skill operator — or anyone who compromises the solvera.markets API — can inject arbitrary natural-language instructions into the agent at runtime on every API call. The agent has no mechanism to distinguish legitimate operational guidance from injected commands. This is a classic indirect prompt injection pattern embedded by design into the API protocol.

The minimum safe filter section requires the agent to verify 'tokenOut is in your allowlist' before submitting offers, but the SKILL.md does not define or constrain this allowlist in any way. The agent must independently determine which tokens are acceptable. This creates a decision boundary the server could manipulate: a malicious intent could list a token near the edge of what an agent might accept, leading to bond loss, failed fulfillment, or reputation damage. In a multi-skill context, a malicious skill could poison the agent's token allowlist.

The recommended agent loop instructs the agent to autonomously and continuously poll for open intents, submit competitive offers (with real bond at stake), monitor for selection, and fulfill obligations by executing on-chain transactions — all without any explicit per-action user approval requirement. Combined with the next_steps injection vector, a compromised or malicious solvera.markets API could manipulate intent parameters (inflated minAmountOut, malicious verifier addresses, shortened TTLs creating urgency), inject fulfillment instructions via next_steps descriptions, or list honeypot intents designed to drain solver bonds. The loop is designed to run continuously, amplifying any server-side manipulation.

The skill requires the agent to transmit wallet addresses (payer, initiator, solver), token contract addresses, fulfillment amounts, and transaction calldata to solvera.markets. While private keys are explicitly kept local (a positive control), the API operator gains full visibility into the agent's on-chain identity, financial capacity, and behavior patterns. The reputation endpoint (GET /api/reputation/:address) additionally links solver performance history to wallet identity, which could be used to profile or target specific agents.

The skill consists of three files: SKILL.md (markdown API documentation), README.md (user-facing documentation), and _meta.json (metadata). No JavaScript, TypeScript, Python, shell scripts, Makefile, npm package.json, git hooks, git submodules, or symlinks were found. The code execution attack surface is confined entirely to what an agent does at runtime when it calls the solvera.markets API.

Installation performed a sparse git clone from github.com/openclaw/skills.git, extracted the skill subdirectory, and cleaned up the temporary clone. Network connections observed: 140.82.121.3:443 (GitHub), 91.189.91.49:443 and 185.125.188.x:443 (Ubuntu package/snap infrastructure, background). Notably absent: any connection to solvera.markets during install. Filesystem changes were confined to /home/oc-exec/skill-under-test/. No unexpected process spawning beyond standard git toolchain.

The skill includes an explicit safety requirement instructing agents never to transmit private keys to the API, and the write endpoint documentation clarifies that all POST endpoints return calldata only and do not sign or broadcast. This is the correct tx-builder pattern for safe wallet integration and represents a genuine positive security control.