Is crypto-learning safe?

https://clawhub.ai/hmzo/crypto-learning

72
CAUTION

This is a legitimate cryptocurrency education skill with a well-structured 180-day curriculum. The primary concerns are: (1) mandatory web_search on every invocation creates a persistent indirect prompt injection surface where malicious search results could influence agent behavior, (2) executable scripts with /tmp writes and a hardcoded Telegram ID, and (3) strong behavioral directives that rigidly control agent output. No active data exfiltration, no malicious code, and no canary violations were detected.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM Executable shell script with /tmp file write -15

schedule.sh is designed to run via cron, executes python3, and writes output to /tmp/crypto-learning-today.txt. While the content is non-sensitive learning material, writing to world-readable /tmp locations is poor practice.

MEDIUM Hardcoded Telegram ID in commented code -15

schedule.sh contains a commented-out command to send messages to a specific Telegram user ID (8550833012). If uncommented or if the cron agentTurn mechanism activates, this would send unsolicited messages.

MEDIUM Mandatory web_search creates indirect injection surface -20

The skill requires the agent to perform web_search on every invocation and integrate results into output. This creates a persistent indirect prompt injection vector — malicious content in search results could be processed by the agent as instructions during the 'latest materials integration' step.

LOW Strong behavioral override directives -15

SKILL.md uses imperative language (禁止/forbidden, 必须/must, 硬约束/hard constraints) to rigidly control agent output format, minimum length, and required modules. While serving a legitimate purpose, this level of behavioral prescription reduces agent autonomy.

LOW Platform bootstrap reads sensitive config files -15

During installation, the OpenClaw platform reads .env, .aws/credentials, openclaw.json, and auth-profiles.json. While these are platform-initiated (not skill-initiated), the skill's presence triggers this bootstrap sequence.

INFO Two redundant Python implementations -5

The skill contains both learn.py and crypto_learning.py with overlapping functionality. This is not a security issue but indicates sloppy development — the duplicate code increases attack surface unnecessarily.

INFO Skill designed for single specific user -5

The skill hardcodes user_id 'hmzo' and Telegram ID 8550833012, indicating it was built for personal use. This is not inherently dangerous but means it was not designed with multi-user safety considerations.