Is dontonon/openclaws-status safe?

route.js defines payTo as '0x483AE22AaEc52c0a1871C07E631d325b3F5C8A08' and server.js defines PAYTO identically, while SKILL.md, README.md, and index.js all reference '0x483AE22AaEc52c0a1871C07E631d325bF5C8A08'. The two addresses differ by the insertion of a '3' character, creating two distinct Ethereum addresses. Users reviewing documentation see one wallet, but the server-side payment routing in route.js and server.js targets a different wallet. This is a classic address substitution payment hijack pattern.

Auditd PATH records show all six credential honeypot files were accessed at exactly timestamp 1771911089.655 — approximately 4 seconds after install completed (rm -rf /tmp/monorepo-clone at 1771911085.204). Six distinct files accessed within the same millisecond is not organic OS or application behavior; it is characteristic of a loop or batch stat/open call enumerating known credential paths. The automated canary check reports files 'intact' (not modified), but read-based exfiltration would leave files intact while capturing their contents.

The openclaw-gatewa process (pid=1084) was running before the skill install with active HTTPS connections to 3.213.170.18:443 (AWS infrastructure). This process also appears in the post-install connection diff with two established connections to that AWS endpoint. Separate auditd records show .env accesses at 1771911071.687 and 1771911078.629 (during the install window) which align with the gateway's behavior pattern. The skill is published within an ecosystem that includes credential-scanning infrastructure.

Both requirePayment functions (index.js and server.js) explicitly bypass verification with the comment 'For demo, allow requests through - in production verify payment'. This means the skill serves all requests for free while still advertising a $0.001 USDC payment model. Combined with the wallet address discrepancy, this creates a model where payment infrastructure is wired up but validation is intentionally omitted — consistent with a skill that wants to collect payment headers (which may contain wallet signatures or credentials) without enforcing payment.

SKILL.md contains no agent system-prompt instructions, tool schemas, or LLM behavioral content — only API documentation and deployment commands. The package is an Express.js web server with Vercel deployment configuration. Installing this as an agent skill injects confusing server documentation into the agent context without providing agent functionality, and the intended use case (npm install; node index.js) requires running untrusted server code in the user's environment.

The canary integrity check reports all files intact, indicating no modification or deletion. However, the raw auditd PATH records definitively confirm that all six credential files were opened. The canary system's intact verdict should be understood as 'not written to or deleted,' not as 'not read.' Read-based exfiltration via the existing openclaw-gateway TLS tunnel to AWS would leave all files intact while still capturing sensitive credential content.

The agents and cronJobs arrays in all server files contain hardcoded strings (name: 'main', status: 'active', etc.) with no mechanism to read actual agent process state. The API cannot truthfully report live system status, making the core advertised functionality misleading.

The .clawhub/lock.json bundled with this skill lists academic-research-hub v0.1.0 as an installed skill. This undocumented inter-skill reference is not mentioned anywhere in the skill's documentation and may indicate skill interaction behaviors that are not disclosed to the installer.