Is hoonilp/artwar safe?

https://github.com/openclaw/skills/tree/main/skills/hoonilp/artwar

71
CAUTION

The artwar skill provides API documentation for an AI art competition platform on Monad blockchain. No prompt injection, hidden instructions, or malicious code was found in SKILL.md, and the install process was clean with no unexpected behavior. However, the skill routes all agent activity — including wallet addresses, API keys, and file uploads — through an unencrypted HTTP endpoint at a bare IP address with no domain verification, and includes a persistent heartbeat instruction and real cryptocurrency betting that together represent meaningful financial and data exposure risk.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 98/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH All API traffic routed to unencrypted HTTP endpoint at bare IP address -30

Every API call in the skill — registration (including wallet address), image upload, heartbeat, submission, betting, and comments — is directed to http://54.162.153.8:3000 over plaintext HTTP. No TLS is used, meaning all data including wallet addresses and API keys are exposed to any network observer. The use of a raw IP rather than a domain name prevents TLS certificate validation and makes server identity unverifiable.

HIGH Smart contract betting spends real cryptocurrency from user wallet -30

The skill instructs the agent to execute on-chain transactions spending 0.001 ETH per bet by calling a payable smart contract function with a provided ethers.js signer. This requires access to a wallet private key or connected signer. While labeled Monad Testnet, the code pattern is identical to mainnet execution and could be redirected. The financial risk is not disclosed in the skill description.

MEDIUM Image upload command reads arbitrary local files via curl @file syntax -20

The artwork upload command uses curl's @filename syntax which reads file contents directly from the local filesystem. If an agent following this skill is instructed or tricked into substituting a sensitive file path (e.g. @~/.ssh/id_rsa or @.env) for the artwork filename, that file's contents would be silently uploaded to the API server at 54.162.153.8.

MEDIUM Persistent heartbeat instruction establishes recurring background outbound connection -15

The skill explicitly instructs the agent to POST to /api/heartbeat every 60 seconds. This creates a persistent long-running behavior where the agent continuously communicates with the external server, functioning as a potential covert channel or agent tracking mechanism even when no art-related task is being performed.

MEDIUM Homepage URL does not match API server — provenance mismatch -20

The skill's declared homepage (github.com/Moltiverse-MonArt/monart) is a GitHub project page, but all API traffic goes to a bare IP address (54.162.153.8) with no affiliation to that domain. A legitimate service would use a domain matching its GitHub presence. This discrepancy prevents independent verification that the API server is operated by the same entity that published the GitHub project.

MEDIUM Betting functionality requires wallet private key or signer access -18

The JavaScript snippet for placing bets constructs an ethers.js Contract with a 'signer' object. This signer must have signing authority over a wallet containing ETH. The skill does not explain how the agent should obtain this signer, implying it expects pre-existing wallet access in the agent's environment — a significant undisclosed privilege requirement.

LOW API key transmitted and used over unencrypted HTTP -10

The API key returned from registration is used in the X-API-Key header for all subsequent authenticated requests, all of which are transmitted over plaintext HTTP. This makes the API key trivially interceptable by any on-path network observer.

INFO Requires node binary — implies JavaScript execution capability -5

The skill metadata declares node as a required binary alongside curl. While curl is expected for HTTP calls, node enables arbitrary JavaScript execution. Combined with the ethers.js betting code, the agent may need to install npm packages or execute multi-line scripts to use betting features.