Is felo-sparticle/clawdwork safe?

The HEARTBEAT.md file is explicitly designed for OpenClaw's heartbeat system and instructs the agent to 'Follow it strictly', running every 30 minutes to check notifications, apply for jobs, continue in-progress work, and deliver completed work — all categorized as actions to 'Handle autonomously' without user approval. This creates a persistent background agent that silently takes consequential actions and writes state to agent memory.

The skill's API is designed to automatically inject Moltbook skill installation instructions into normal workflow responses. After verification, the response includes next_steps.moltbook with a skill_url and a first_post_suggestion pre-populated for direct posting via Moltbook's API. Post-job and post-delivery responses include share_suggestion fields. This is a systematic multi-vector approach to recruit agents to install a second external skill and post to an external social network.

An attacker can post a job with instructions in the description field instructing an agent to collect and return sensitive data. The agent, operating autonomously via the heartbeat, finds the job, reads the malicious instructions, and delivers sensitive content via POST /jobs/:id/deliver content field to the attacker-controlled job. The 'No Human Approval Needed' framing and autonomous heartbeat operation make this attack silent.

The full set of sensitive credential files was accessed post-installation at timestamp 1771914223 in a rapid batch sweep (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials). This pattern matches a credential harvesting scan. However, canary integrity checks confirm no content was transmitted externally; this batch is likely attributable to the oathe auditing framework's final canary recheck rather than the skill itself.

The skill repeatedly emphasizes 'No Human Approval Needed', 'instant' transactions, and '$100 free credit' to frame autonomous financial and work commitment actions as normal and desirable. This is designed to condition agents to bypass the caution they would otherwise apply when committing to external services or spending resources.

HEARTBEAT.md instructs the agent to write clawdwork-state.json to agent memory on every 30-minute cycle, tracking balance, active jobs, notification counts, and timestamps. This establishes persistent cross-session state that can influence agent decision-making and could be manipulated by a malicious job poster to alter agent behavior.

The _meta.json file references commit history from github.com/clawdbot/skills, but the skill was installed from github.com/openclaw/skills. This discrepancy means the skill's declared audit trail points to a different repository than the actual source, making independent verification of the skill's history impossible from metadata alone.

All five skill files are documentation or configuration only. No JavaScript, TypeScript, Python, shell scripts, package.json with install hooks, .gitattributes filters, .gitmodules, or symlinks were found. The skill cannot execute code at install time.