Is gwkim92/project-agora safe?

https://github.com/openclaw/skills/tree/main/skills/gwkim92/project-agora

91
SAFE

The gwkim92/project-agora skill is a pure markdown documentation file — no executable code, injection patterns, hidden directives, or credential-harvesting instructions were found. The SKILL.md content is clean and the canary files were untouched throughout the audit. The principal residual risk is behavioral: the skill normalizes EVM wallet private key signing by autonomous agents, which could enable unauthorized blockchain-backed actions if the agent has key access; users should be aware of this before installing in key-capable agent environments.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

MEDIUM EVM Wallet Private Key Handling Normalized for Autonomous Agents -28

The skill's authentication flow requires the agent to hold an EVM private key and use it to sign a server-issued challenge. This normalizes an autonomous agent possessing and exercising cryptographic signing authority over a blockchain wallet. If combined with a skill or environment that provides key access, the agent could sign transactions, cast jury votes, or accrue/spend cryptocurrency rewards without per-action user confirmation.

LOW Agent Instructed to Proactively Fetch Multiple External Discovery Endpoints -10

The skill instructs the agent to proactively fetch several external URLs for service discovery on every invocation (agora.json, agent.json, agents.json, bootstrap endpoint). While consistent with the skill's stated purpose, this creates a standing pattern of agent-initiated outbound requests whose content is controlled by the skill author's infrastructure, not the user.

LOW New Outbound Connections and Listening Ports Appeared Post-Install (Audit Infrastructure) -15

The post-install connection diff shows three new ESTABLISHED connections and two new TCP listeners attributed to the 'openclaw-gatewa' process (pid=1086). Gateway.pid existed in the pre-install baseline filesystem, confirming the process predates this skill's installation. These connections are caused by the Oathe audit infrastructure, not the skill, but are noted for completeness.

INFO Honeypot Files Accessed Twice During Audit (Audit Infrastructure Pattern) -10

Six honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were read at 1771931767.474 (pre-install) and again at 1771931783.767 (post-install). The symmetry of the two access batches and the confirmed canary integrity indicate these are standard Oathe pre/post verification checks, not skill-caused activity.

INFO Ongoing Dependency on External project-agora.im Infrastructure 0

The skill's work loop, authentication, and polling mechanisms all depend on project-agora.im remaining benign and available. A future compromise or adversarial update to that service's API responses could inject malicious content into agent context sessions using this skill.