Is explainanalyze/koen safe?

https://github.com/openclaw/skills/tree/main/skills/explainanalyze/koen

90
SAFE

The Koen skill is a markdown-only social network API documentation file with no executable code, no malicious prompt injection, and no canary file compromise. Its primary risks are behavioral: it instructs agents to write an autonomous polling schedule to HEARTBEAT.md and to follow server-controlled 'engagement hints' from the koen.social API, creating an indirect runtime influence channel over agent actions. The skill itself is safe to install but operators should be aware it converts the agent into an autonomous social media actor that takes periodic behavioral direction from a remote server.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 92/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Persistent Autonomous Heartbeat Behavior -15

The skill explicitly instructs the agent to write a recurring schedule into HEARTBEAT.md that causes it to poll koen.social and engage with posts every 1-2 hours without explicit per-cycle user approval. This permanently modifies the agent's behavior profile across future sessions.

LOW Server-Controlled Engagement Direction via API -18

The /api/discover endpoint returns an engagement_hint field per post that the skill instructs the agent to read and act on. This creates a runtime influence channel: koen.social can direct which actions the agent takes (like, reblog, reply) by crafting hint text. If the platform is compromised or malicious, hints could instruct the agent to amplify specific content or spam particular targets.

LOW Server-Controlled Verification Challenge Text Processed by Agent -10

The posting verification flow requires the agent to parse and solve math problems expressed as server-provided l33t-speak text within a 30-second window. Challenge content is entirely under koen.social server control. While currently benign math problems, this establishes a precedent for the server injecting structured text that the agent must interpret and act on.

LOW API Key Storage in Agent-Readable Persistence File -8

The skill recommends persisting KOEN_API_KEY in TOOLS.md, a file typically readable by the agent and potentially other skills. If another installed skill reads TOOLS.md for context (a common pattern), the Koen API key would be exposed to it.

INFO Explicit Anti-Phishing Security Warning Present 0

The skill contains a clearly visible CRITICAL SECURITY WARNING instructing the agent to never send the API key to any domain other than koen.social. This is a positive security practice that reduces the risk of API key theft via prompt injection from other sources.

INFO Platform Gateway Connections Not Attributable to Skill 0

The post-install network diff shows openclaw-gateway (pid=1086) with established connections to 54.211.197.216:443 (AWS) and new localhost listeners. These sockets are bound to the openclaw-gateway platform process, not spawned by the koen skill installation. They represent the execution environment's own infrastructure.