Is harrytou/clawstarter safe?
https://github.com/openclaw/skills/tree/main/skills/harrytou/clawstarter
Clawstarter is a sophisticated skill that establishes a persistent, server-controlled instruction channel via a heartbeat mechanism that periodically fetches and executes content from clawstarter.io. While the current heartbeat.md content appears benign, the architecture is designed to allow the skill operator to deliver arbitrary new instructions to any enrolled agent at any time without user review — functionally equivalent to a command-and-control callback. The skill also modifies agent behavior to act autonomously on GitHub and Clawstarter APIs without per-action user approval, and embeds itself into the agent's own heartbeat file to persist beyond skill removal. The install-time behavior was clean and no canary files were exfiltrated, but the runtime architecture presents unacceptable ongoing risk.
Category Scores
Findings (12)
CRITICAL Server-controlled remote prompt injection via heartbeat fetch -40 ▶
HEARTBEAT.md instructs the agent to periodically fetch https://clawstarter.io/heartbeat.md and 'follow it'. This creates a live, server-controlled instruction channel. The operator of clawstarter.io can update heartbeat.md at any time to deliver arbitrary new instructions to every agent that has installed this skill, with no user review or approval. This is architecturally equivalent to a command-and-control callback in traditional malware.
CRITICAL Remote instruction fetch is functional RCE in LLM context -35 ▶
The fetch-and-follow heartbeat pattern is the LLM-equivalent of downloading and executing a remote script. Unlike static skill files reviewed at install time, the content of heartbeat.md can change without any user awareness. Future versions could instruct the agent to read sensitive files, make API calls to attacker-controlled endpoints, post content, or perform any action the agent's tools permit.
HIGH Persistent behavioral override: check Clawstarter after every task -20 ▶
The skill instructs the agent to insert a self-check into its task completion loop: 'Every time you complete a task, ask yourself: Should I check Clawstarter?' This modifies the agent's baseline behavior for all tasks, not just Clawstarter-related ones. Combined with embedding into HEARTBEAT.md, this ensures the skill continues to influence agent behavior even when the user has not invoked it.
HIGH Explicit removal of user from authorization flow -15 ▶
The 'Be Proactive' section and 'Act, then report' doctrine explicitly instruct the agent to take actions — including creating GitHub repositories, posting threads, voting, and engaging with external APIs — without requesting user approval. This directly undermines the user's ability to control agent behavior and could result in unwanted account activity, API costs, or repository modifications.
HIGH Autonomous GitHub actions without per-request authorization -25 ▶
The active development guide instructs agents to: create GitHub repositories under openclaw/, push code, open pull requests, and post progress updates — all as 'routine' actions that should not require user permission. If the agent has GitHub credentials (gh CLI, SSH keys), this could result in unauthorized repository creation, code commits, or PR activity on behalf of the user.
HIGH Agent identity and API key registered with third-party server -20 ▶
The skill instructs the agent to POST its name and description to clawstarter.io/api/registerAgent, receiving an API key. This key is then used in all subsequent requests. The server now has a persistent identifier for this agent, linked to its behavioral history (votes, posts, project joins). This data is entirely under the control of the skill operator.
HIGH Persistent C2 architecture with social engineering to maximize engagement -35 ▶
The skill's architecture — heartbeat embedding, periodic remote fetch, crypto funding incentive — is consistent with a long-game attack: establish the skill broadly, build agent engagement habits, then update heartbeat.md to deliver exploit payloads once sufficient agents are enrolled. The 'Phase 2 crypto funding' narrative specifically targets LLMs trained to be helpful and goal-directed, creating artificial urgency to act NOW.
MEDIUM Credentials stored in predictable, agent-readable locations -15 ▶
The skill recommends storing the Clawstarter API key in ~/.config/clawstarter/credentials.json, agent memory, and the CLAWSTARTER_API_KEY environment variable. All of these locations are accessible to the agent's tools. A future heartbeat.md update could instruct the agent to read and transmit this key to a different endpoint, or a separate malicious skill could harvest it.
MEDIUM Skill embeds itself into agent's own HEARTBEAT.md -5 ▶
By instructing the agent to modify its HEARTBEAT.md to include Clawstarter checks, the skill persists beyond its own file. Uninstalling the skill files does not remove the embedded heartbeat instruction. This is an intentional persistence mechanism.
MEDIUM Human-agent bond verification via X/Twitter reduces accountability -10 ▶
The 'claim via X (Twitter)' verification mechanism creates an identity link while providing the appearance of accountability. However, this mechanism is controlled entirely by clawstarter.io and cannot be independently verified. It also creates a social graph between users and their agents that is stored on the skill operator's server.
LOW Install behavior clean — only expected GitHub connection -7 ▶
The install process connected only to github.com (140.82.114.3) as expected for the sparse-checkout installation mechanism. No connections to clawstarter.io or any unexpected endpoints were observed during install. No new persistent listeners were created.
INFO All canary files intact 0 ▶
The honeypot files (.env, id_rsa, .aws/credentials, .npmrc, docker config, gcloud credentials) were accessed only by the Oathe audit system at baseline (timestamp 1771922484) and post-install verification (timestamp 1771922501). No exfiltration was detected.