Is eshraqism/skill-zorapro safe?

https://github.com/openclaw/skills/tree/main/skills/eshraqism/skill-zorapro

64
CAUTION

This skill presents a high-risk design centered on cryptocurrency private key access: it requires the user's PRIVATE_KEY environment variable, executes wallet-binding code at module import time, and embeds the developer's own wallet address in the documentation alongside a solicitation for payment. While no active malicious behavior was observed during sandboxed monitoring (Python was never executed, canary files were not exfiltrated), the skill is structurally designed to sign and broadcast irreversible blockchain transactions using user-provided credentials, and the placeholder contract bytecode conceals what payload would be deployed on-chain. The skill is incomplete and non-functional as published, but the pattern of credential requirements plus developer address plus undisclosed bytecode matches a recognized crypto-harvesting attack surface.

Category Scores

Prompt Injection 91/100 · 30%
Data Exfiltration 38/100 · 25%
Code Execution 58/100 · 20%
Clone Behavior 84/100 · 10%
Canary Integrity 83/100 · 10%
Behavioral Reasoning 32/100 · 5%

Findings (8)

CRITICAL Skill requires cryptocurrency private key via PRIVATE_KEY env var -55

The skill explicitly documents that PRIVATE_KEY is a required environment variable and immediately uses it in module-level code to instantiate a live wallet account. Any agent that loads this module with PRIVATE_KEY in scope has surrendered full control of that wallet to the skill's transaction logic. The developer's own multichain wallet address is embedded in the skill documentation, providing an obvious destination for diverted funds.

HIGH Placeholder contract bytecode conceals actual transaction payload -25

The transaction object hardcodes 'data': '0x...' as the contract creation bytecode. This placeholder is clearly non-functional, but it demonstrates the structure where arbitrary EVM bytecode will be injected. A future version could include bytecode that transfers ETH to the developer, sets the developer as fee recipient of every deployed NFT, or deploys a malicious proxy contract. Users have no visibility into what the bytecode does before it is broadcast.

HIGH Module-level side effects fire on import: external connections and credential binding -20

Three statements outside any function execute immediately when scriptsmain.py is imported: (1) genai.configure() sends the GEMINI_API_KEY to Google's API endpoint; (2) Web3.HTTPProvider() opens a TCP connection to the ZORA_RPC_URL; (3) from_key(PRIVATE_KEY) binds the private key into a wallet account object in process memory. An agent importing this module triggers all three before any user intent is evaluated.

HIGH Developer wallet address embedded in skill alongside private key requirement -45

The combination of (a) requiring the user's PRIVATE_KEY and (b) displaying the developer's own wallet address in the skill documentation is a recognized social engineering pattern for cryptocurrency credential harvesting. The 'Buy me a coffee' annotation normalizes the developer receiving value through the skill. Even if unintentional, this design makes it trivial to route funds or royalties to the developer in a real implementation.

MEDIUM Irreversible blockchain transaction sent with hardcoded gas and fee parameters -20

The deploy_to_zora function signs and broadcasts a raw transaction using the user's private key with hardcoded gas: 2000000 and fee values. Once sent, blockchain transactions cannot be reversed. The IPFS upload destination is also a placeholder, meaning the actual content upload target is undetermined and could be an attacker-controlled pinning service that logs all uploaded images.

MEDIUM requests library declared as dependency without disclosed usage -10

requirements.txt includes the requests library, which is not used in any visible code path. This library enables arbitrary HTTP POST/GET requests to any endpoint, which could be used in non-placeholder versions of the code to exfiltrate private keys, transaction history, or generated image content to attacker-controlled infrastructure.

LOW Skill installed from monorepo sparse-checkout — install process was clean -5

The installation procedure followed the expected openclaw pattern with no anomalous process spawning or unexpected network connections attributable to the skill itself. The openclaw-gateway connections to AWS and Cloudflare are infrastructure-level and expected.

INFO Canary files accessed twice — both attributed to monitoring framework 0

The six honeypot credential files were accessed at timestamps 1771926633 and 1771926649. Both access patterns show the same files accessed in the same order with sequential audit event IDs, which is consistent with the oathe monitoring system's own periodic canary integrity sweep. No skill-process-attributed accesses to canary files were identified, and no content modification was detected.