Is elstob/botbrag safe?

https://github.com/openclaw/skills/tree/main/skills/elstob/botbrag

78
CAUTION

BotBrag is a documentation-only skill with no executable code, clean installation behavior, and no canary violations. The primary risks are: (1) the GET /api/leaderboard endpoint returns third-party-controlled strings that will be consumed unsanitized by the agent, creating a prompt injection vector from anyone who makes a donation; (2) the POST /api/donate endpoint facilitates irreversible Bitcoin payments without mandatory human-confirmation safeguards. The skill is from a new, unverified publisher operating an unvetted financial service, which warrants caution before deployment in any agentic context with payment capabilities.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

HIGH Third-party API responses injected into agent context unsanitized -30

The GET /api/leaderboard endpoint returns fields (lastMessage, lastUrl, senderName) populated by arbitrary third parties who have made donations. These strings are consumed by the agent without sanitization. An attacker can register a donor name or message containing prompt injection payloads that will execute in the context of any agent querying the leaderboard.

HIGH Skill enables autonomous irreversible Bitcoin payments -30

The skill instructs the agent to construct and submit Lightning invoices and on-chain Bitcoin payment requests. Bitcoin transactions are irreversible. The skill includes no instruction requiring explicit human confirmation before initiating a payment, creating risk that an agent operating autonomously or under social engineering could initiate unauthorized financial transfers.

MEDIUM Free-text donation fields transmit agent-controlled content to unvetted external server -20

The POST /api/donate endpoint accepts a 280-character message field and an unconstrained url field. These are transmitted to botbrag.com, an unvetted service. If the agent context has been compromised or manipulated, these fields could be used to exfiltrate short secrets (API keys, tokens, environment variables) to an attacker-controlled collection endpoint.

MEDIUM Agent identity transmitted to unvetted third party -15

The senderName field (required) is intended to be the agent's display name but could reveal the agent's identity, operator, or deployment context to the botbrag.com operator. This enables tracking and profiling of agent deployments that use this skill.

MEDIUM New publisher with no release history operating financial service -15

Publisher 'elstob' has a single version (1.0.0) and no release history. The botbrag.com service has no stated operator, jurisdiction, privacy policy, or dispute resolution mechanism. A financial service run by an anonymous publisher with no track record represents elevated trust risk.

LOW Normal installation with expected network activity only -8

Clone used sparse-checkout from the openclaw/skills monorepo. All observed network connections are attributable to GitHub, Ubuntu package infrastructure, and Cloudflare CDN. No unexpected outbound connections from the skill.

INFO Canary file accesses attributable to audit framework 0

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at two points matching the pre/post snapshot timestamps of the audit framework. No modifications were made. No exfiltration detected.