Is emanz1/iqdb safe?
https://github.com/openclaw/skills/tree/main/skills/emanz1/iqdb
The emanz1/iqdb skill is a documentation-only reference skill (7 markdown files, zero executable code) covering Solana on-chain database development using IQDB, hanLock encoding, and x402 paid inscription. No prompt injection, no credential harvesting, no malicious code, and no canary file exfiltration were detected. The primary risks are operational rather than adversarial: the skill documents real financial blockchain transactions with irreversible SOL/USDC costs and permanent immutable data storage, which could have financial and privacy consequences if an agent executes the documented patterns without explicit per-step user authorization.
Category Scores
Findings (7)
MEDIUM Skill documents real financial Solana transactions with concrete cost schedule -20 ▶
The skill provides complete runnable code patterns for blockchain operations that spend real SOL: root PDA initialization (~0.01-0.02 SOL), table creation (~0.02 SOL), row writes (~0.005-0.01 SOL each), and x402 file inscription (quoted USDC/SOL amount). An agent following this skill could initiate irreversible on-chain transactions costing meaningful amounts of user funds. The documented flow does not include per-transaction confirmation prompts.
MEDIUM Permanent immutable on-chain data storage — no deletion possible -15 ▶
All data paths documented in this skill result in permanent, publicly visible Solana blockchain records. x402 explicitly states inscription is permanent with non-refundable payment. IQDB rows are append-only. If an agent stores PII, credentials, or private content using this skill, it cannot be removed from the public blockchain.
LOW hanLock XOR obfuscation misrepresented as privacy mechanism -8 ▶
hanLock uses XOR with a simple password-derived byte sequence (not a cryptographically secure KDF). The skill correctly warns it is 'not a substitute for real encryption', but also markets it as providing 'on-chain privacy' and 'lightweight data privacy'. Agents may present this to users as adequate protection, leading to sensitive data being stored permanently on a public blockchain with weak obfuscation.
LOW x402 payment addresses are API-derived with no verification step -10 ▶
The x402 payment flow instructs agents to send SOL/USDC to a 'paymentAddress' field returned by the /quote API endpoint. No signature verification, address allowlist, or out-of-band confirmation is documented. If the x402 service is malicious, compromised, or DNS-hijacked, the returned address could redirect funds to an attacker. The skill does not specify which x402 service to connect to.
LOW Primary SDK is a newly published npm package with minimal provenance -1 ▶
@iqlabs-official/solana-sdk v0.1.1 was published 2026-02-08 — approximately 16 days before this audit. The publisher 'Zo' has no vetting history visible in the skill documentation. Installing new packages with minimal community review introduces supply chain risk in the consuming project.
INFO openclaw-gateway connections are audit platform infrastructure — not skill-introduced 0 ▶
The connection diff AFTER snapshot shows openclaw-gateway (pid=1087) with established HTTPS connections to 3.213.170.18 (AWS EC2) and 104.16.11.34 (Cloudflare). This process is the openclaw audit executor's telemetry gateway, confirmed by the pre-existing /home/oc-exec/.openclaw-executor/gateway.pid file in the baseline filesystem snapshot. These connections are unrelated to the skill under test.
INFO Canary file reads are automated audit platform integrity scans 0 ▶
Sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) appear in PATH audit records twice: at 04:15:08 (before the git clone at 04:15:13) and at 04:15:24 (post-install). Both occurrences are rapid-burst sequential reads of all 6 canary files within 2ms — consistent with automated scanning, not targeted harvesting. Audit platform confirmed all files intact.