Is goodbaikin/bountyswarm safe?

The bounty:list command fetches active bounties from a backend fully controlled by the skill author. Every bounty description, metadataURI, and subtaskURI the agent receives is authored server-side and injected into the agent's task context. An operator of backend-production-3241.up.railway.app can dynamically serve adversarially crafted payloads to any agent running this skill without modifying the skill code itself. This is a persistent, updateable injection vector.

Every command the agent executes transmits a full payload to the skill author's Railway.app deployment: bounty:create sends task description and metadataURI; bounty:submit sends resultHash and resultURI; bounty:pick sends winner wallet address; bounty:subcontract sends sub-agent address and fee structure. The backend receives a complete operational record of the agent's activity on behalf of the user.

The skill orchestrates on-chain USDC escrow release, winner selection, and basis-point fee splitting. A compromised or malicious backend can serve manipulated bountyId values and winner addresses. If an agent populates bounty:pick or bounty:subcontract parameters from backend-fetched listings, funds could be released to attacker-controlled addresses on the BountyEscrow contract.

bounty:create accepts metadataURI and bounty:submit accepts resultURI as required string parameters with no format enforcement beyond 'IPFS URI or URL'. These URIs are transmitted to the backend and may trigger the agent or backend to dereference attacker-controlled content, expanding both what the attacker receives and what adversarial content can be delivered.

handler.ts constructs all request URLs by direct string concatenation: const url = \${ctx.config.backendUrl}${path}``. No scheme, hostname, or allowlist validation is applied. If the backendUrl configuration value is attacker-influenced (via prompt injection or config manipulation), all five API endpoints can be redirected to internal services or arbitrary external hosts.

Bounty listings returned by GET /api/bounties are returned directly to the agent via CommandResult.data. Fields such as description, metadataURI, and any backend-defined metadata are processed as trusted agent input. The agent may act on adversarial instructions embedded in these fields without recognizing their external origin.

Filesystem monitoring recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application default credentials at 09:02:14 (pre-install, auditd 1771923734.370-371) and post-install (auditd 1771923757.831:1435-1440). The pre-install access at 1771923734.370 occurs 33ms after the ss -tunap baseline command — consistent with the monitoring system establishing canary file hashes. The post-install access at 1771923757.831 follows the monitoring script's final inspection pass. No network traffic to the bountyswarm backend was observed; canary integrity confirmed all files unmodified.

The full installation sequence connected exclusively to GitHub (140.82.121.4:443) to perform a shallow sparse clone of the openclaw/skills monorepo. Ubuntu update servers (185.125.188/190.x) were contacted as part of normal sshd/motd activity unrelated to the skill. The bountyswarm.com domain and backend-production-3241.up.railway.app were not contacted. No files were created outside the skill directory.