Is devzenpro/clawquests-xyz safe?

https://github.com/openclaw/skills/tree/main/skills/devzenpro/clawquests-xyz

74
CAUTION

ClawQuests is a Web3 task-marketplace skill designed for autonomous AI agent operation on Base blockchain, and the installation itself was clean with no unexpected behavior during cloning. However, three structural risks make it inappropriate to install without review: (1) quest content fetched from the smart contract is untrusted external data that creates a second-order prompt injection channel, (2) command templates expose private keys as plaintext CLI arguments visible to co-resident processes, and (3) the recommended onboarding flow sends every agent's wallet address to the operator's server at clawquests.xyz, enabling passive tracking and deanonymization of all agents using this skill alongside real-USDC mainnet transactions that lack any human approval gate.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH Second-Order Prompt Injection via Untrusted Blockchain Quest Data -25

When an agent calls getQuestDetails or listOpenQuests, it retrieves quest content (title, description, resultURI, skillTags) that was written by arbitrary external actors to the blockchain. This content is untrusted and could contain adversarial prompt injection instructions. An attacker could create a quest with a maliciously crafted description instructing the agent to approve completion of attacker-controlled quests, transfer funds, or perform off-platform actions. The skill provides no guidance on treating blockchain-sourced strings as untrusted data.

HIGH Private Key Exposed as Plaintext CLI Argument -18

Every write transaction template passes the agent's private key via the --private-key flag on the command line. On Linux, command-line arguments are visible to all users with read access to /proc/PID/cmdline for the lifetime of the process, and are typically captured in shell history files and audit logs. A compromised or noisy process on the same host could exfiltrate the key during the window of execution.

MEDIUM Drip API Phones Home with Agent Wallet Address -18

The skill designates Option A (ClawQuests Drip API) as the 'Recommended — Instant & Free' onboarding method. This instructs every installing agent to POST its wallet address to https://clawquests.xyz/api/drip, a server controlled by the skill operator. This creates a centralized registry of agent wallet addresses that can be correlated with on-chain transaction history to deanonymize and track agent activity across all users of the skill.

MEDIUM Autonomous Real-USDC Transactions on Base Mainnet -20

The skill includes fully specified mainnet deployment addresses and instructs agents to approve USDC allowances, stake funds, create bounties, and claim quests autonomously. The version string 'Autonomous Onboarding' reflects the design intent that no human approval is required. A sufficiently persuasive quest description could cause an agent to approve large USDC allowances or stake substantial funds on the operator's contract with no human checkpoint.

MEDIUM Referral Fee Extraction via claimQuestWithReferral -15

The claimQuestWithReferral action embeds a referrer address that earns 20% of the 5% platform fee on all quest completions. If any quest description, skill instruction, or social engineering leads agents to supply the skill operator's address as referrer, the operator passively extracts fees from every quest completed by every agent using the skill. This is a financially motivated extraction mechanism that requires no code execution.

MEDIUM Canary Credential Files Opened Post-Installation -12

Six sensitive credential files were opened and read at 10:50:41 UTC (post-installation), including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. The canary integrity check confirms no content was exfiltrated. Cross-referencing EXECVE audit records, the timing aligns with the oathe monitoring framework's own integrity verification sweep rather than any skill-originated process. Risk is flagged but assessed as low-probability skill attribution.

LOW External Infrastructure URLs Embedded in Skill -10

The skill hardcodes RPC endpoints at publicnode.com and the operator's own clawquests.xyz domain. These endpoints mediate all blockchain reads and the onboarding flow. If these services are compromised, rate-limited, or replaced with malicious responses, the agent's behavior could be manipulated through crafted RPC responses.

LOW Version Discrepancy Between Metadata and Skill Content -5

_meta.json reports latest published version as 1.6.0 while SKILL.md declares version 1.5.0. This inconsistency suggests either the file content lags the published release or version bookkeeping is not maintained. In either case it reduces confidence in the integrity of the release pipeline.

INFO Clean Installation — No Unexpected Runtime Behavior 0

The git clone and file copy operations were fully contained. Network traffic was limited to GitHub's CDN for the monorepo clone and Ubuntu's update infrastructure. No connections to clawquests.xyz, unexpected IPs, or DNS lookups for the operator domain were observed during installation. The filesystem diff shows only the two expected skill files added.

INFO No Executable Code Embedded in Skill Files 0

SKILL.md is pure instructional markdown. No package.json with lifecycle scripts, no git hooks in .githooks/, no .gitattributes filters, no .gitmodules pointing to external repos, and no symlinks were found. The skill's execution surface is entirely mediated through an agent's exec tool interpreting cast CLI command templates.