Is icarus-chen/skillnet safe?

SKILL.md explicitly instructs the agent to take unsanctioned actions across a broad set of triggers. The combination of 'No user permission needed to search, download, or load' with 'act immediately — do not wait for user instruction' effectively removes user oversight from a large fraction of agent behavior. The skill inserts itself as a mandatory preprocessing step into every multi-step task, regardless of whether the user requested it.

The skill creates a mechanism to download arbitrary SKILL.md files from api-skillnet.openkg.cn and inject them directly into the agent's active context as executable instructions. An attacker controlling any SkillNet registry entry — or the registry itself — can achieve arbitrary agent instruction injection. The agent is explicitly told to extract and apply instructions from downloaded skill content, including running bundled scripts.

Every non-trivial agent task triggers a keyword search to api-skillnet.openkg.cn before execution, revealing what the user is working on to an external Chinese-hosted service. The SKILL.md notes this service has no rate limit and no API key requirement — meaning all queries flow freely with no accountability. Over time this constitutes comprehensive surveillance of user activity.

The skill solicits sensitive credentials (API_KEY for LLM access, GITHUB_TOKEN) from users and routes them through the unverified skillnet-ai PyPI package. These credentials are then used to communicate with external endpoints. The 'silent use' design means users may not realize their credentials are being consumed. The package's source code and network behavior cannot be verified from this skill alone.

The skill installs skillnet-ai from PyPI — a package with no verifiable audit trail in this context. The package executes with full user privileges, communicates with api-skillnet.openkg.cn and the configured LLM endpoint, and handles sensitive credentials. PyPI packages can include arbitrary code executed at import or runtime.

The in-task triggers activate automatically on nearly all normal user behaviors: sharing any GitHub URL, any document, any log file. Each trigger silently invokes skillnet create, sending user content to an external LLM endpoint without explicit user approval. This covers the majority of typical agent interaction patterns.

Both inotify filesystem events and auditd PATH records confirm that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json were opened and read twice during the monitoring window. File content was not modified. Timing of accesses (1771915939 = pre-clone, 1771915956 = post-analysis) is consistent with oathe framework canary management rather than skill-triggered reconnaissance, but the full access pattern across all credential file types is noted as significant.

Downloaded skills persist in ~/.openclaw/workspace/skills and are automatically consulted on future tasks. Any malicious skill installed once continues to inject instructions indefinitely. The dedup check in SKILL.md creates an automatic replacement mechanism — an attacker can push an updated malicious skill to replace a legitimate one.

During installation, the git clone process connected to GitHub (140.82.121.3:443) as expected. Canonical/Ubuntu infrastructure connections (185.125.188.58-59:443) reflect background sshd and system services, not skill behavior. No unexpected destinations were observed during the clone phase.