Is fabriziogianni7/ceo-protocol-skill safe?

https://github.com/openclaw/skills/tree/main/skills/fabriziogianni7/ceo-protocol-skill

78
CAUTION

The ceo-protocol-skill is a legitimate DeFi governance integration for the CEO Protocol on Monad. Its core risk profile is financial rather than adversarial: the skill requires an agent to hold a live cryptocurrency private key and is authorized to submit proposals, cast votes, execute strategies, and transfer on-chain assets. The requirement to also install two unaudited companion skills from the same author materially expands the attack surface. No evidence of prompt injection, hidden exfiltration, install-time hooks, or canary file compromise was found.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 79/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 58/100 · 5%

Findings (8)

HIGH Cryptocurrency Private Key Required in Agent Environment -20

SKILL.md instructs operators to export AGENT_PRIVATE_KEY=0x... into the shell environment before running the proposal scripts. Any other skill or code running in the same agent process can read this variable. If the agent is compromised or a companion skill exfiltrates env vars, the private key — and all funds controlled by the associated wallet — would be exposed.

HIGH Forced Companion Skill Installation Without Independent Audit -22

The skill prerequisites unconditionally instruct clawhub install for two additional skills by the same author. These skills have not been audited in this session. If either companion skill is malicious, it shares the agent's context, environment variables (including AGENT_PRIVATE_KEY), and tools, creating a three-skill attack surface.

MEDIUM Discussion API Defaults to localhost:3000 -12

The skill instructs the agent to POST discussion messages to APP_BASE_URL/api/discuss/agent, falling back to http://localhost:3000 if the env var is absent. This allows the skill to direct the agent to make HTTP requests to locally running services without explicit user configuration, potentially interacting with local dashboards, dev servers, or internal APIs.

MEDIUM Scripts Execute Live Blockchain Transactions with User Funds -15

submit-proposal.mjs, execute, convertPerformanceFee, and withdrawFees operations interact with smart contracts holding real USDC and CEO tokens. While the scripts are legitimate, the agent is being given authority to move funds on behalf of the user. A subtle bug or manipulation could result in financial loss.

MEDIUM Post-Install Sensitive File Access (Canary Paths Opened) -8

Auditd PATH records at timestamp 1771923629.108 show open() syscalls on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials — all occurring approximately 5 seconds after skill installation completed. Canary honeypots confirm files were not exfiltrated; timing is consistent with the oathe audit system's post-install re-check, but the pattern warrants disclosure.

LOW RPC Endpoint Trusted Without Verification -10

The skill instructs the agent to use 'your configured Monad RPC endpoint' without any validation. A compromised or attacker-controlled RPC endpoint could serve false on-chain state, leading the agent to vote for or execute malicious proposals, misreport vault balances, or take incorrect actions.

LOW proposalURI is Agent-Controlled Free-Form String -3

The registerProposal transaction accepts a proposalURI as an arbitrary string that is stored on-chain. If a malicious actor could influence what URI the agent submits, this channel could encode exfiltrated data or instruct other agents reading the blockchain. In its current form, the agent itself authors the URI, so risk is low but the channel exists.

INFO Clean package.json — No Install Hooks 0

Reviewed package.json: no preinstall, postinstall, prepare, or other lifecycle scripts present. Only runtime dependency is viem@^2.38.5 pinned in package-lock.json with verified integrity hashes. No git submodules or hooks were found.