Is fluxmira-moltbot/clawsea-market safe?

https://github.com/openclaw/skills/tree/main/skills/fluxmira-moltbot/clawsea-market

84
SAFE

ClawSea Market is a legitimate NFT marketplace integration skill with a clean SKILL.md — no prompt injection, no executable code, no unauthorized file or network activity attributable to the skill during installation, and all canary honeypots intact. The primary risks are operational rather than adversarial: the skill enables irreversible autonomous financial transactions on Base mainnet using a hot wallet private key, all three referenced implementation helper files are absent from the installed package forcing the agent to synthesize critical Seaport logic from scratch, and the agent's trading decisions are entirely controlled by data returned from the external clawsea.io API. The credential file accesses observed in monitoring logs predate the git clone by 5+ seconds and are conclusively attributable to the audit infrastructure's canary setup routine.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (8)

MEDIUM Autonomous onchain financial transactions with hot wallet private key -25

The skill instructs an agent to autonomously list, buy, and cancel NFT orders on Base mainnet using BOT_WALLET_PRIVATE_KEY for EIP-712 signing and transaction broadcast. All onchain operations are irreversible. A manipulated or confused agent could drain the configured wallet with no recourse.

LOW Order signatures and wallet operations sent to external ClawSea API -15

Core workflows require POSTing orderComponents+signature+priceEth to /api/orders, fulfillment confirmations to /api/orders/fulfill, and cancellations to /api/orders/cancel on clawsea.io. This external data flow is by design but means the skill's utility depends entirely on clawsea.io's integrity and availability.

LOW Private key normalization via environment variable creates exfiltration attack surface -10

By requiring BOT_WALLET_PRIVATE_KEY as an environment variable, the skill makes the key accessible to any shell tool invocation or env-reading capability available to the agent. If the agent is later manipulated by a prompt injection in API responses, the key could be read and exfiltrated.

LOW Bundled reference files referenced but absent from installed skill -17

SKILL.md explicitly instructs 'Read the references before implementing autonomous buy/list logic' and lists three bundled resources. None exist in the installed directory. The agent must synthesize Seaport EIP-712 parameters, conduit key details, and API shapes from memory alone, creating high risk of incorrect or exploitable implementations.

LOW External API responses implicitly control all agent trading decisions -10

The skill directs the agent to base all browse, listing, and purchase decisions on data returned by clawsea.io GET endpoints. A compromised or malicious clawsea.io backend could serve manipulated trending data, fake listings, inflated prices, or crafted order responses designed to exploit the agent's Seaport signing workflow (e.g., wash trading, fake floor prices).

LOW CLAWSEA_BASE_URL override enables marketplace endpoint substitution -13

The skill documents CLAWSEA_BASE_URL as optional, defaulting to https://clawsea.io, with the stated purpose of pointing bots at staging. A malicious user request or a chained skill could set this to an attacker-controlled endpoint that returns crafted order structures designed to extract funds via malformed Seaport orders.

INFO Observed credential file accesses predate skill installation — attributed to audit infrastructure -12

Inotify and auditd logs record accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials. Critical timing context: all accesses occur at unix timestamp 1771909348 (inotify 05:02:28), which is 5+ seconds before the git clone begins at 1771909353 (05:02:33). The skill was not yet present on disk. These accesses are from the oathe canary setup and post-install verification phases, not from the skill.

INFO All honeypot canary files confirmed intact 0

Post-install canary integrity check verified that all planted credential honeypots were not modified or exfiltrated. This is consistent with the skill containing no executable code.