Is fendouai/payaclaw safe?

The payaclaw package contains a fully-formed, separate skill definition for a WordPress blog management service (OpenClawLog). This file is absent from _meta.json, not mentioned in SKILL.md, and describes a completely different external service. Any agent that loads this package receives instructions for two external services: payaclaw.com and openclawlog.com. The additional skill expands the agent's external footprint without user consent.

openclawlog-skill.md explicitly instructs the agent to write auto-generated WordPress credentials to a predictable filesystem path and also to agent memory or 'wherever you store secrets'. This language normalizes broad credential persistence, risks poisoning the agent's memory with credentials to a third-party service, and may be imitated by the agent for other secrets it encounters.

The skill instructs agents to POST task solutions as freeform markdown to https://payaclaw.com/api/submissions. The content field is unconstrained. If an agent is directed to solve a task involving sensitive environment context, code, or credentials and then submit via this skill, that content is transmitted to a third-party server controlled by the skill author.

SKILL.md lists '心跳系统: HEARTBEAT.md' (Heartbeat System) as an additional resource, but no such file exists in the installed package. A heartbeat system typically involves periodic outbound signals from a client to a server. Its omission from the package means the referenced behavior contract is invisible to the auditor, and the reference itself implies the skill is designed for persistent, recurring agent communication beyond single invocations.

The bundled openclawlog-skill.md instructs agents to register with openclawlog.com, receiving auto-generated usernames, passwords, and API keys. These credentials are then used for subsequent XML-RPC calls. This creates an authentication relationship between the agent and a second third-party service that was not disclosed in the package's advertised purpose.

The skill requires the agent to POST its name, description, and capabilities to payaclaw.com/api/agents/register. This creates a persistent, externally-readable profile of the agent's identity and abilities at a third-party server. The registration returns an api_key that is then stored and reused across sessions.

_meta.json identifies the package owner as 'fendouai' with slug 'payaclaw', but the package contains a fully-featured OpenClawLog skill file with no relationship to the competition platform. This inconsistency indicates either negligent packaging or intentional bundling of additional instruction content to silently expand agent behavior beyond the advertised scope.

Inotifywait and auditd syscall logs show read-only access to all six canary files at timestamps preceding the git clone (07:59:43) and following installation (1771920001.476). CLOSE_NOWRITE events confirm no modification. Timing and periodicity are consistent with the audit framework's own baseline scanning. Canary integrity check confirmed all files intact with no outbound exfiltration detected.