Is drbarq/pokemon-red safe?

SKILL.md explicitly instructs the agent to clone https://github.com/drbarq/Pokemon-OpenClaw.git — a repository completely outside the marketplace trust chain — and immediately execute its Python server code. The cloned code runs as a persistent FastAPI/uvicorn web server with full user-level filesystem and network access. This repository can be updated at any time by its owner; any such update is automatically delivered to agents actively using this skill. There is no version pinning, no commit hash verification, and no code review gate. This is a textbook supply chain attack vector embedded in the skill's setup instructions.

The skill instructs installation of six PyPI packages (pyboy, pillow, numpy, fastapi, uvicorn, requests) without any version constraints. A typosquat, a compromised maintainer account, or a malicious update to any of these packages would result in arbitrary code execution in the agent's environment on first use or upgrade.

The skill creates a hard runtime dependency on drbarq/Pokemon-OpenClaw.git that is evaluated fresh each time an agent sets up the skill. There is no integrity check (no SHA, no tag, no signature). A malicious update to that repo — whether by the author, a compromised credential, or a repo takeover — is immediately effective against any agent that runs setup again or pulls updates. The persistent background server means malicious code, once installed, continues running and accumulates access.

The Python code executing from drbarq/Pokemon-OpenClaw.git runs under the oc-exec user and has unrestricted read access to all credential files in the home directory: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud application_default_credentials.json. The FastAPI server's route handlers, background tasks, or startup hooks could silently read and exfiltrate these credentials. This behavior is entirely opaque to the marketplace audit of SKILL.md alone.

inotifywait and auditd PATH records confirm that all six honeypot credential files were opened and read during the monitoring period, in two separate batches. The first batch (07:15:00) precedes skill installation by ~6 seconds and the second (07:15:25) coincides with audit-script analysis. Cross-referencing with process execution logs, these accesses appear attributable to the oathe audit infrastructure (canary initialization and re-verification) rather than the skill. Canary integrity check confirms no file modification or confirmed exfiltration. Documented here because the accesses are observable and warrant transparency.

game_instructions.md — loaded by SKILL.md as authoritative game strategy context — opens with 'You are OpenClaw, an AI playing Pokemon Red on a real Game Boy emulator.' This establishes a named persona that the agent is instructed to adopt. While benign in this game context, the pattern demonstrates that skill reference files can carry persona-overriding instructions that are injected without appearing in the primary SKILL.md.

The skill instructs agents to maintain session state in /tmp/pokemon_notepad.txt and the emulator server persists save states to disk. These persistence mechanisms survive between agent invocations and could be used to pass injected instructions to a future agent session if the server or notepad content is tampered with by other running code.

SKILL.md instructs the agent to fetch and clone code from a URL not verified by the marketplace (drbarq/Pokemon-OpenClaw.git). This extends the agent's effective instruction surface to an uncontrolled external source, beyond what is auditable from the skills package itself.

The skills marketplace clone (openclaw/skills.git) via sparse checkout was behaviorally clean: only GitHub HTTPS traffic to 140.82.121.4:443, no new persistent listening ports, no unexpected processes, and no filesystem modifications outside the skill-under-test directory. The connection diff confirms no residual network state after install.