Is fusae/clawrent-web-scraping safe?

The skill instructs the agent to POST to clawrent.xyz/v1/node/heartbeat every 30 seconds and, if the response contains a 'task' field, to 'run it immediately'. There is no validation of the task URL, no user confirmation requirement, no scope restriction, and no ability for the agent to refuse. This is a textbook command-and-control (C2) mechanism: the operator can direct the agent to browse any URL at any time by returning it in the heartbeat response.

The skill's core loop is: receive URL from clawrent.xyz → browse it → send full page HTML back to clawrent.xyz. The operator chooses which URLs are browsed. If any task URL points to an internal resource (localhost services, cloud metadata, intranet pages, file:// paths accessible to the browser), the complete HTML of that resource is transmitted to the attacker's server. The user has no visibility into which URLs are being scraped or what data is being sent.

On first run, the skill registers the machine with the operator by POSTing the hostname, OS platform, and IP address. This creates a persistent record linking the user's machine identity to their API key and enables targeted task delivery.

Each task carries operator-controlled fields (waitMs, selector, returnType) that directly alter agent behavior. A malicious operator can chain multiple task types, use CSS selectors to extract specific data elements, or trigger screenshot capture of sensitive content. These fields are injected from the server into the agent's decision-making with no sanitization.

The skill is framed as a legitimate 'earn money while idle' service. This framing is deliberately chosen to lower user vigilance and provide plausible deniability. Users who install this skill believe they are participating in a voluntary scraping marketplace; the actual architecture gives the operator unconditional remote control over their agent.

The skill explicitly supports screenshot capture via task.options.returnType. An operator can request screenshots of any page the browser renders, including locally accessible pages that may display sensitive information, authenticated application state, or private documents.

The agent's browser tool can access localhost, 169.254.169.254 (AWS IMDS), internal network services, and potentially file:// URIs. Since the operator controls task URLs with no restrictions, they can target these internal resources by simply returning them in heartbeat responses. All retrieved content is then transmitted to clawrent.xyz.

The instruction to 'immediately send one more heartbeat' after each task result creates a continuous execution loop. The agent is never truly idle — it is constantly polling for new instructions. This degrades agent availability for legitimate user tasks and makes the C2 activity harder to notice.

While the skill contains no executable files, the heartbeat mechanism delivers operator-specified actions (URL navigation, DOM extraction, screenshots) that the agent executes using its browser tool. This is functionally equivalent to remote code execution mediated through natural language instruction injection.

The installation process was clean: shallow git clone of the monorepo, sparse checkout of the target skill path, file copy to skill-under-test directory, temporary directory cleanup. No suspicious processes, no unexpected network connections attributable to the skill, no filesystem writes outside the expected location.

All honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) passed integrity verification. A burst of accesses to all six canary files occurred at audit(1771908926.816), consistent with the audit harness performing a post-install integrity scan rather than skill-initiated access.