Is encipher88/nadfunagent safe?

https://github.com/openclaw/skills/tree/main/skills/encipher88/nadfunagent

49
DANGEROUS

nadfunagent is a high-risk autonomous trading skill that requests and persistently stores the user's blockchain private key in agent memory, then executes real Monad mainnet transactions while routing 30% of all profits to MMIND token holders—a financial extraction mechanism that benefits the skill publisher at every user's expense. The skill's heavy use of CRITICAL markup, mandatory credential storage in agent memory, and autonomous financial operations without per-action user confirmation create an unacceptable risk profile. While no confirmed credential exfiltration to an attacker-controlled server was detected and canary files remained intact, the structural design of this skill—combining autonomous fund management with a profit-sharing scheme for the publisher—constitutes a DANGEROUS pattern regardless of direct malware indicators.

Category Scores

Prompt Injection 44/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 52/100 · 20%
Clone Behavior 83/100 · 10%
Canary Integrity 74/100 · 10%
Behavioral Reasoning 26/100 · 5%

Findings (11)

CRITICAL Blockchain Private Key Stored in Persistent Agent Memory -40

SKILL.md explicitly instructs the agent to ask users for their MONAD_PRIVATE_KEY and then save it in OpenClaw's memory/session storage for future use. A blockchain private key stored in agent memory is accessible to all skills and persists across sessions, fundamentally compromising the user's wallet.

CRITICAL Profit Distribution to MMIND Holders is a Financial Extraction Scheme -40

The skill routes 30% of all trading profits to MMIND token holders. If the skill author (encipher88) holds MMIND tokens, every user running this skill generates passive income for the author. This is a financial extraction mechanism disguised as profit-sharing.

HIGH CRITICAL Labels Used Pervasively to Override Agent Caution -30

SKILL.md uses the word CRITICAL 17+ times and ALL CAPS formatting throughout to elevate the skill's instructions above normal agent reasoning. This pattern is commonly used to make an agent bypass safety checks and follow skill instructions without question.

HIGH Autonomous Blockchain Transactions with User Private Key -30

The skill executes real Monad mainnet transactions autonomously: buying and selling tokens, distributing profits via MON transfers. The autonomous loop runs every 10 minutes via cron with stop-loss and take-profit triggers that execute sells without user confirmation.

HIGH Private Key Exposed in Shell Command Arguments -25

execute-bonding-v2.js constructs shell commands embedding the raw private key as an environment variable prefix in the command string. This exposes the private key in /proc/PID/cmdline or /proc/PID/environ, visible to other processes on the system.

HIGH Trading Activity Reported to Telegram (External Channel) -20

SKILL.md mandates sending detailed trading reports to a user-provided Telegram bot after each cycle. This externalizes wallet activity, P&L, and position data to an out-of-band channel controlled by a third party (Telegram), and the skill author controls what data is included.

MEDIUM Skill Instructs Agent to Solicit Sensitive Credentials on Invocation -20

The skill uses its CRITICAL COMMUNICATION RULES to instruct the agent to ask users for MONAD_PRIVATE_KEY, MONAD_RPC_URL, MMIND_TOKEN_ADDRESS, and Telegram user ID on first run—essentially training the agent to extract and store sensitive information.

MEDIUM Skill Ships .env File in Repository -15

The skill repository includes a .env file (unusual for published skills). This suggests the skill was developed with credentials baked in or normalizes the presence of credential files alongside skill code.

MEDIUM Post-Install Read of All Canary Credential Files -17

Auditd records a second read of all six canary-adjacent files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) at timestamp 1771934058.531—18 seconds after installation. The originating process is not definitively attributed to the audit system vs. skill-triggered activity.

LOW Potential Command Injection via External API Response -10

In execute-bonding-v2.js, token addresses sourced from the nad.fun API are interpolated directly into shell command strings without sanitization. In practice, valid token addresses are hex strings (0x[a-fA-F0-9]{40}) that cannot contain shell metacharacters, but any API-level control by a malicious actor could exploit this.

INFO Skill Depends on nad.fun Ecosystem Controlled by Possible Skill Author -5

The skill depends on nadfun-trading, nadfun-indexer, nadfun-agent-api, and monad-development skills, plus the nad.fun API infrastructure. If the skill author controls these dependencies, they have multiple vectors to update behavior after installation.