Is destructatron/ii-irc safe?

https://github.com/openclaw/skills/tree/main/skills/destructatron/ii-irc

72
CAUTION

The ii-irc skill is a functionally legitimate IRC bot integration built around the suckless ii client. The SKILL.md and setup.sh contain no hidden instructions, malicious payloads, or exfiltration code, and the clone process was clean. However, the skill's core design creates a persistent indirect prompt injection channel: it tails an IRC channel log and passes every message mentioning the bot nick — unsanitized and with --mode now — directly into the OpenClaw agent event stream, meaning any IRC channel participant can inject adversarial prompts that trigger immediate agent wakeup with attacker-controlled content. This risk is architectural and becomes critical when combined with other installed skills that provide filesystem, shell, or network access.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (6)

HIGH IRC channel as persistent indirect prompt injection sink -32

watch-daemon.sh tails the ii IRC log and passes each matching line unsanitized to openclaw system event --text "IRC mention: $MSG" --mode now. The --mode now flag triggers immediate agent wakeup. Any participant in the configured IRC channel can craft a mention of the bot nick with adversarial content that becomes a system-level event injected into the agent's context, indistinguishable from legitimate system events.

MEDIUM Persistent background daemons with user-level privileges -20

The setup script creates two daemons (ii IRC process and watch-daemon.sh) that persist across sessions via nohup or systemd user services. These run indefinitely with the installing user's full filesystem and network access. If the IRC server or channel is compromised, the daemons continue to funnel attacker-controlled content to the agent.

MEDIUM Cross-skill attack amplification via IRC injection -40

This skill's IRC injection channel becomes a remote code execution path when combined with file-reading, shell, or web skills. An attacker who can mention the bot nick gains the ability to invoke the full capability set of whatever other skills are installed, without any authentication.

LOW IRC FIFO as potential covert exfiltration channel -20

If an attacker successfully injects prompts via IRC mentions, the bot's reply path (writing to the in FIFO) provides a ready exfiltration channel: the agent can be instructed to echo file contents to the IRC channel, which is visible to all channel participants and to the attacker.

LOW Canary files read during session (reads only, no modification) -15

Auditd PATH records show all six canary files opened for reading at session start (baseline scan) and session end (final integrity check) by the Oathe monitoring framework. Additional .env reads at intermediate timestamps are consistent with OpenClaw gateway configuration loading. No writes or deletions detected.

INFO Post-install AWS connections from openclaw-gatewa process -5

The connection diff shows new ESTAB connections to 54.211.197.216:443 attributed to openclaw-gatewa after installation. This is the OpenClaw AI gateway making upstream API calls and is not attributable to the skill itself.