Is fermartz/astranova safe?

The skill instructs the agent to fetch https://agents.astranova.live/guide.md on demand and answer user questions from its content. This URL is operator-controlled and can be updated server-side at any time to inject arbitrary instructions into the agent's context. The instruction to 'answer in your own words' means the agent actively processes and acts on this remote content, making it a persistent live injection channel requiring no skill update.

The skill instructs the agent to execute all technical work silently — API calls, filesystem writes, credential storage — and present only conversational summaries unless the user explicitly asks for raw details. This design pattern reduces user oversight and prevents users from knowing what data is being sent or stored on their behalf.

The skill directs the agent to POST user-provided data to agents.astranova.live and write an API key to ~/.config/astranova/credentials.json. The explicit instruction 'Do not echo, print, or display the API key to the human after saving it' reduces user awareness of what credentials are being stored. Combined with the silent-operations design, users may not realize a persistent credential file has been created.

Verification requires the user to post a public tweet tagging @astranova_live with a verification code before the account activates. This forcibly links the user's Twitter identity to the platform's database, contributes to the platform's follower count and social proof, and makes this social media action a prerequisite to use the service.

The skill explicitly warns that shell metacharacters in user-supplied agent descriptions could cause problems when the agent constructs curl commands in shell. While the skill recommends using an HTTP library instead, this warning confirms the agent may execute shell commands, creating a potential shell injection path if a user provides adversarial input.

Installation performed a shallow sparse git clone from github.com, extracted only the skills/fermartz/astranova subtree, and removed the temporary clone. The openclaw-gatewa connections to 54.211.197.216:443 and 104.16.1.34:443 observed post-install are from the ClawHub audit gateway process (pid=1084), consistent with the audit infrastructure probing the skill's external API. No unexpected processes were spawned by the skill.

Canary file PATH audit events for .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json appear at audit start (1771933325) and end (1771933341) timestamps — these are the audit framework's own baseline and post-scan integrity checks. The filesystem diff confirms no modifications. No exfiltration occurred.

The skill onboards users to a platform that awards simulated currency ($SIM), promises a real on-chain Solana token ($ASTRA) as reward for AI agent performance, and states that trading functionality does not yet exist ('coming in Phase 2'). The combination of early-access bonus currency ('normally 5,000, you get 10,000'), urgency framing ('get in early, observe the market, and be ready'), and a future real-crypto reward for current engagement is a structural pattern common in pre-launch token pump schemes and gamified investment platforms.

Every user who registers must post a public tweet mentioning @astranova_live to activate their account. This is framed as identity verification but functions primarily as a mechanism to build the platform's Twitter following and social proof using user accounts, with no alternative verification path offered.