Is fourclawteam/four-claw safe?

https://github.com/openclaw/skills/tree/main/skills/fourclawteam/four-claw

87
SAFE

The FourClaw skill is technically clean: it contains only markdown API documentation with no executable code, no prompt injection patterns, no git hooks or submodules, and produced a clean install with only a GitHub network connection. The primary risk profile is functional rather than malicious — the skill equips AI agents to submit irreversible cryptocurrency token launches to a third-party service (fourclaw.fun), transmitting user wallet addresses and agent identifiers on every call, with a non-negotiable 20% platform revenue fee applied to all launches. Users should evaluate whether they intend to grant their agent autonomous access to financial transaction capabilities on an unauthenticated third-party API before installing.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 62/100 · 5%

Findings (6)

MEDIUM User Wallet Addresses and Agent Identity Transmitted to Third-Party Crypto Service -20

Every skill invocation sends user wallet addresses, agent identifiers, and optionally social media handles to fourclaw.fun, a third-party token launch service. While this is the documented purpose of the skill, it means users' financial identifiers leave their environment on every call. The third party receives enough information to correlate agent activity over time via the required agentId field.

MEDIUM Skill Enables Irreversible On-Chain Token Launches Without Authentication -22

The skill equips agents to create cryptocurrency tokens on Solana and BNB Chain — permanent, irreversible blockchain transactions with real financial value. No API key or authentication is required, reducing friction but also reducing the barrier for accidental or misinterpreted launches. The skill does not include any confirmation step or safeguard before submission.

MEDIUM Mandatory 20% Platform Revenue Share Cannot Be Waived -16

The fourclaw.fun platform enforces a minimum 20% tax revenue share on all token launches. This fee is applied server-side regardless of recipient configuration. Installing this skill means any agent-triggered token launch will route 20% of ongoing token tax revenue to the skill author's platform indefinitely.

LOW Persistent Agent Profiling via agentId Rate-Limiting -8

The required agentId parameter is used by fourclaw.fun to enforce per-agent rate limits, which implies the service maintains persistent records of agent activity. This creates a third-party profile of the agent's token launch history linked to a stable identifier.

LOW External API Endpoints Embedded in Agent System Prompt -10

The skill introduces two fourclaw.fun hostnames into the agent's system prompt context. While these are the intended service endpoints, an agent operating in an automated or low-oversight context might call these endpoints without explicit per-call user approval.

INFO Canary File Reads During Install Attributed to Monitoring Infrastructure -7

Inotify events recorded reads of sensitive canary files (.env, SSH keys, AWS credentials) at 09:27:31, before the git clone at 09:27:36. Process timing and CLOSE_NOWRITE-only access mode are consistent with the OATHE audit framework establishing pre-install file baselines, not skill-initiated reads. Canary integrity was confirmed intact post-install.