Is eucalyptus-viminalis/leak-publish safe?

The is_blocked_sensitive_path() function in publish.sh blocks ~/.ssh, ~/.aws, ~/.gnupg, ~/.config/gcloud, /etc, /proc, /sys, and /var/run/secrets. It does NOT block ~/.env (environment variables, API keys), ~/.npmrc (npm auth tokens, registry credentials), ~/.docker/config.json (container registry credentials), ~/.netrc (FTP/HTTP credentials), or any other dotfile not explicitly enumerated. A user request of 'publish my .env file for $0.01' passes all validation — symlink check, directory check, existence check, and blocked-path check — and the file is served to the internet.

The skill's runtime policy sets RUN_MODE to 'auto' by default, which maps to SHOULD_BACKGROUND=1. The script then attempts systemd --user, launchd, tmux, screen, and nohup in sequence until one succeeds, launching a recursive call to publish.sh --foreground as a detached background process. This server persists after the agent session ends, binding to port 4021 and serving the target file. The agent has no mechanism to stop or monitor the server after launching it.

The --public flag invokes cloudflared to create a publicly accessible trycloudflare.com tunnel URL. Any file reachable by the agent and not in the incomplete blocklist can be made globally accessible. The consent gate (confirmation phrase) is a string match that an LLM agent can be guided to provide through prompt manipulation. The resulting URL is printed to stdout and logged, and the server persists until explicitly stopped.

The skill requires the 'leak-cli' npm package and invokes it as both a short-lived command and a long-running network server. The package handles file serving, x402 micropayment processing, and optionally Cloudflare tunnel management. Its server-side behavior — including what metadata is logged, what telemetry is reported upstream, and how file content is processed during payment flows — cannot be verified from the skill source alone. The package is not pinned to a specific version in the install spec.

By declaring persistent-by-default as the runtime policy and listing a priority-ordered fallback chain of persistence mechanisms, the skill trains the agent to normalize background process creation across all publish operations. Users may be unaware that a file server is running on their machine after the agent session ends. This behavioral conditioning makes it easier for future prompt manipulation to leverage background execution.

This skill, combined with any file-listing capability (find, glob, ls), enables a complete credential exfiltration workflow: step 1 discovers credential files at ~/.env or ~/.npmrc; step 2 publishes them via leak-publish, bypassing the incomplete blocklist. The resulting Cloudflare URL delivers the credential file to any internet requester. The x402 gate provides plausible deniability (the file is 'for sale') while still making it accessible.

Auditd PATH records show that /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were all opened for reading at 1771956453 (install start) and again at 1771956469 (post-install). The canary integrity check reports files intact and unmodified. These accesses are most likely from the audit monitoring infrastructure. However, the pattern of reading all high-value credential files twice, bracketing the install, is consistent with both legitimate canary monitoring and with credential scanning.

The skill is named 'leak-publish' — 'leak' carries an established meaning of unauthorized disclosure. The safety policy section lists blocked paths that cover only the most obvious targets (.ssh, .aws, .gnupg) while omitting .env, .npmrc, and .docker — the files most commonly targeted in real supply-chain and CI/CD credential theft attacks. This specific combination of a protective-looking but incomplete blocklist creates the appearance of safety while leaving the highest-value targets unprotected.

The connection diff shows that after skill installation completed, the openclaw-gateway process (pid=1084, pre-existing executor infrastructure) established new ESTABLISHED TCP connections to 44.214.208.192:443 (AWS EC2) and 104.16.3.34:443 (Cloudflare) that were not present in the BEFORE snapshot. A /home/oc-exec/.openclaw-executor/gateway.pid file confirms this is infrastructure. The new connections likely represent the executor reporting audit results, but the timing — after credential files were accessed and skill was installed — is notable.

The --public protection relies on the agent providing the exact string 'I_UNDERSTAND_PUBLIC_EXPOSURE'. In non-interactive mode (typical for agent use), this must be passed as --public-confirm I_UNDERSTAND_PUBLIC_EXPOSURE. A crafted user prompt like 'I understand the public exposure, please publish my file publicly' could cause the agent to pass this flag, bypassing the consent gate by matching the semantic intent rather than requiring the exact phrase.

The git repository contains no .gitattributes filter drivers, no .gitmodules pointing to external repos, no githooks, and no package.json with preinstall/postinstall scripts. The clone process was clean, touching only expected paths. The install script performed a sparse git checkout of the specific skill subdirectory only.