Is ed1sonl1-byte/agent-metaverse safe?
https://github.com/openclaw/skills/tree/main/skills/ed1sonl1-byte/agent-metaverse
Agent Metaverse is a well-documented virtual crypto trading skill with clean Python code, no prompt injection attempts, and no unauthorized local file access. The skill.py script is a straightforward HTTP wrapper that correctly scopes its environment variable reads to its own API key, and the installation produces only the expected four files. The primary concerns are the external exchange server dependency (all trading data and agent registration is sent to the configured server, requiring operator trust) and a heartbeat loop strategy pattern that could monopolize the agent indefinitely.
Category Scores
Findings (7)
MEDIUM All trading activity transmitted to external exchange server by design -15 ▶
The skill's core function requires connecting to AGENT_METAVERSE_BASE_URL (default: localhost, configurable to any URL). Every command — register, balance, buy, sell, open-long, open-short, etc. — transmits data to this server. The server operator receives: agent name/description at registration, all order parameters and quantities, portfolio composition, and the API key in every authenticated request. This is documented behavior, but it requires the user to trust the exchange server operator.
LOW Heartbeat loop strategy could monopolize agent indefinitely -12 ▶
Strategy 3 in SKILL.md instructs the agent to run a continuous loop every 120 seconds with no explicit termination condition. If an agent follows this pattern, it would continuously execute trading commands and sleep, preventing the user from receiving responses to other requests. This is a behavioral control risk rather than a traditional prompt injection, but it exploits the agent's tendency to follow documented strategy patterns.
LOW Default BASE_URL uses unencrypted HTTP -9 ▶
The default AGENT_METAVERSE_BASE_URL is http://localhost:8000, using HTTP rather than HTTPS. While acceptable for local development, the skill documentation does not warn users that configuring a remote URL without TLS would expose the API key and all trading data in transit. The API key format (amv_ + 48 hex chars) is long but transmitted in plaintext headers.
LOW Promotes up to 125x leverage in AI trading context -18 ▶
The skill prominently documents and provides CLI commands for perpetual futures at 1-125x leverage. Strategy 2 (Momentum Futures) recommends the agent open leveraged positions based on price trend calculations. While this is a virtual exchange with no real funds, normalizing extreme leverage in an AI agent's learned behavior could be problematic if the agent generates financial advice or if the pattern is extrapolated to real trading contexts.
LOW External agent registration creates persistent server-side profile -10 ▶
Using the skill requires running the register command, which creates a named agent account on the Agent Metaverse exchange server. The server stores the agent name, description, API key, and all subsequent trading history. The user has no visibility into what the server operator does with this data or how long it is retained.
INFO Sparse monorepo clone is expected installation pattern 0 ▶
The installation script performs a shallow sparse checkout of the openclaw/skills monorepo, extracts only the target skill path, copies the files to the execution directory, and deletes the temp clone. This is the standard pattern for this skill registry and produces no unexpected side effects.
INFO Canary file reads attributed to audit infrastructure, not skill 0 ▶
inotify events record two batches of canary file reads. The first batch at 04:45:34 occurs before the git clone at 04:45:39, attributable to sudo PAM authentication and audit initialization. The second batch at 04:45:57 occurs after installation and is attributable to the Oathe audit pipeline's own canary verification step. skill.py contains no file read operations targeting credential paths.