Is drewm33/clawmon safe?

https://github.com/openclaw/skills/tree/main/skills/drewm33/clawmon

75
CAUTION

ClawMon is a trust registry lookup skill that routes all skill reputation queries through a single publisher-controlled server on Railway.app, creating a telemetry channel that exposes the agent's skill usage patterns to the publisher over time. While the skill contains no malicious code and its install behavior was clean, its design as a publisher-operated trust oracle creates structural conflicts of interest: the publisher can manipulate trust scores to favor or suppress any skill, and the auto-query pattern means the agent passively reports its activity without per-request user consent. An unverified reference to a non-existent ERC standard further undermines confidence in its technical legitimacy claims.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 70/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (8)

MEDIUM Skill Usage Telemetry to Publisher Server -25

The skill instructs the agent to send an HTTP GET request to the publisher-operated Railway server for every new skill the agent encounters. Over time this builds a complete picture of the agent's skill inventory and usage cadence on a third-party server the user does not control.

MEDIUM Publisher-Controlled Trust Oracle with Rating Manipulation Risk -20

All trust data originates from a single server operated by the skill publisher on Railway.app. The publisher has unilateral ability to assign any trust score to any skill, enabling them to demote competitors and elevate their own or affiliated skills without any on-chain or independent verification.

MEDIUM Automatic Network Request Trigger Without Per-Request User Consent -15

The skill's activation condition 'when invoking a skill you have not used before and want to verify' is agent-side and does not require explicit user confirmation for each lookup. An agent following these instructions could silently contact the publisher's server during normal operation.

LOW Credential Files Accessed During Install Window -20

Auditd PATH records show /home/oc-exec/.env accessed at timestamp 1771955905.771, which falls inside the git clone/install window. No corresponding EXECVE was identified for this access. The canary integrity check confirmed file contents were unmodified.

LOW WebSocket Endpoint Provides Persistent Publisher-to-Agent Channel -5

The documented WebSocket endpoint provides a real-time connection from the publisher's server back to the agent. While described as read-only, this channel is technically capable of pushing arbitrary instructions or data to a connected agent.

LOW Non-Existent ERC Standard Used for Legitimacy Framing -7

The skill claims to be 'built on ERC-8004' and links to https://eips.ethereum.org/EIPS/eip-8004. ERC-8004 is not a recognized finalized Ethereum standard, suggesting the technical credibility framing is aspirational or fabricated to appear more authoritative.

INFO Publisher Wallet Address Embedded in Skill Frontmatter -5

The skill embeds a Monad testnet wallet address (0x3e4A16256813D232F25F5b01c49E95ceaD44d7Ed) in both wallet and publisher_wallet frontmatter fields. The skill states the agent does not need to interact with it, but the pattern normalizes embedding financial identifiers in skill metadata.

INFO No Executable Code Present 0

Skill contains only a markdown documentation file, _meta.json, and .clawhub/lock.json. No executable scripts, npm hooks, git hooks, submodules, or symlinks were found.