Is emilankerwiik/openkrill safe?

The skill's stated purpose is enabling agents to make micropayments autonomously without requiring user approval per transaction. If an attacker can inject instructions into the agent's context — via a scraped webpage, document, or email — they can direct fetch-with-payment.ts to send funds to an attacker-controlled x402 endpoint. The 12,000+ service catalog available via Bazaar dramatically expands the payment target surface.

SKILL.md explicitly instructs the agent to navigate the user's browser to payment URLs using browser automation tools (MCP, browser tool, etc.) without explicit per-navigation user confirmation. This could be weaponized to direct users to phishing pages styled as thirdweb payment flows, or to navigate the browser to pages that trigger further injections.

list-services.ts sends the THIRDWEB_SECRET_KEY to api.thirdweb.com/mcp?tools=listPayableServices — an endpoint not present in thirdweb's public API documentation. This pattern is consistent with a key-collection mechanism. The endpoint is only called when the --fetch flag is passed, but agents following SKILL.md's guidance to 'fetch live services' may invoke it.

The skill activates on vague, common phrases like 'micropayments', 'crypto payments', or 'paying for API access'. These phrases can appear naturally in scraped web content, documents, or emails, meaning prompt-injected payloads in external content can reliably activate the skill and its financial capabilities without any user intent.

Six credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud application_default_credentials.json) were opened and accessed in sequential sweeps at audit timestamps 1771927163.886 and 1771927187.165. The second sweep occurs after skill installation. While the most probable explanation is the oathe framework's own canary setup and integrity verification, the pattern is structurally identical to automated credential harvesting. Canary integrity confirmed intact.

The fetch-with-payment.ts script accepts any caller-supplied URL and routes an x402 payment through it. There are no URL allowlists or domain restrictions. Any code path that can pass an arbitrary string as --url can direct user funds to an arbitrary recipient. This is a high-value target for prompt injection attacks operating within an agent context.

The skill enables agents to create throwaway email accounts via mail.tm and autonomously use them to register for third-party services. This could be used to create accounts at services the user did not authorize, accept terms of service on the user's behalf, or receive verification codes to complete unauthorized registrations.

SKILL.md and SERVICES.md instruct agents to save generated email account credentials (address, password, auth token, account ID) to a local .agent-emails.json file. These credentials persist beyond the session and could be accessed by other processes or exposed if the working directory is committed or shared.

SKILL.md conditions agents to 'always start by querying the Bazaar discovery endpoint' when any service-purchasing question is asked. This creates a habitual external network call pattern that could be exploited, and gives the agent awareness of 12,000+ paid services it can access.

Installation only produced expected GitHub traffic. Pre-existing Ubuntu update server connections were not skill-initiated. No unexpected processes spawned, no filesystem changes outside the skill directory, and no new persistent connections appeared in the post-install connection diff.