Is efekucuk/etherlink safe?

https://github.com/openclaw/skills/tree/main/skills/efekucuk/etherlink

85
SAFE

The efekucuk/etherlink skill is a clean documentation-only package providing Etherlink blockchain interaction guidance; SKILL.md contains no prompt injection, hidden instructions, or malicious code, and all canary honeypot files remained intact throughout installation. The primary risk is indirect: the accompanying reference documentation normalizes running an unverified npm package (etherlink-mcp-server) with a cryptocurrency private key in its environment using a version-unpinned npx -y invocation, creating a viable supply chain attack path that could result in wallet compromise. The skill itself warrants installation, but users must independently vet the etherlink-mcp-server npm package, pin a specific verified version, and treat any instance where a private key is passed to an MCP server as a high-value target requiring additional controls.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (9)

MEDIUM Unverified NPM package recommended with -y flag -15

references/mcp-setup.md labels 'npx -y etherlink-mcp-server' as the Recommended installation path. The -y flag silently accepts the package without user review, and no version is pinned. If the npm package etherlink-mcp-server is typosquatted, backdoored, or its ownership transferred, every future installation will execute attacker code. This package runs with the user's PRIVATE_KEY in its environment and full network access.

MEDIUM Private key placed in MCP server environment — full exposure to package code -12

Both SKILL.md and mcp-setup.md normalize passing EVM_PRIVATE_KEY or PRIVATE_KEY as an environment variable to the etherlink-mcp-server process. Any code running inside that process — including transitive npm dependencies — has read access to the private key via process.env. A compromised MCP server package could silently exfiltrate the key to an attacker-controlled endpoint.

MEDIUM Skill enables real-value financial transactions via agent -15

The skill instructs the agent to execute XTZ sends, ERC-20 token transfers, contract deployments, and state-changing contract calls. These are irreversible on-chain operations. A malicious co-installed skill or a prompt injection via external content (e.g., a malicious NFT metadata, a poisoned webpage the agent reads) could chain into etherlink write operations to drain the user's wallet.

LOW Placeholder GitHub URL in local-build documentation -7

The local-build section of mcp-setup.md instructs users to clone 'https://github.com/yourusername/etherlink-mcp-server.git'. This is an unfilled placeholder. An attacker could register that GitHub account and namespace, causing users who follow the documentation literally to clone and build malicious code.

LOW Skill authorizes financial transactions without confirmation framing -7

SKILL.md presents transaction operations as direct commands ('Send 0.1 XTZ to 0x...') without instructing the agent to confirm with the user before executing irreversible on-chain writes. An agent following these instructions literally could execute transactions based on ambiguous user input without an explicit confirmation gate.

LOW Supply chain attack path via MCP server dependency -13

The full attack path is: (1) attacker publishes or compromises etherlink-mcp-server on npm, (2) user installs via npx -y, (3) user adds PRIVATE_KEY to environment per skill docs, (4) attacker's package silently reads the key and transfers funds or exfiltrates the key. This skill creates the conditions for that chain even though the skill files themselves are clean.

INFO External documentation URLs referenced in SKILL.md -5

SKILL.md links to docs.etherlink.com, explorer.etherlink.com, and shadownet.faucet.etherlink.com. These are expected blockchain documentation links. An agent with browser tools may fetch these URLs during operation; the destinations appear to be legitimate Etherlink infrastructure.

INFO Credential file accesses observed during audit — attributed to audit framework -6

inotifywait and auditd recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at 07:05:32 (pre-install) and 07:05:49 (post-install). The skill contains no executable code capable of reading these files. The pre-install reads align with audit canary setup; the post-install reads align with canary integrity verification. Canary file contents were confirmed unmodified.

INFO Installation network contact limited to expected hosts -8

The only external network contact during installation was to github.com (140.82.121.3:443) for the git sparse-checkout clone and Ubuntu package update servers (91.189.91.48, 185.125.188.57) which are OS background activity. No contact with unexpected endpoints.