Is im-still-thinking/auction-house safe?

https://github.com/openclaw/skills/tree/main/skills/im-still-thinking/auction-house

78
CAUTION

The auction-house skill is a functionally legitimate MCP server for the houseproto.fun crypto auction platform with no detected prompt injection, malicious code, or confirmed data exfiltration. The primary risk is by design: the skill explicitly enables autonomous cryptocurrency spending — once auto-bid rules are established, the agent can place on-chain bids without per-transaction user approval. Secondary concerns include runtime npm package delivery (no version pin), full trust in a third-party financial API, and unexplained post-installation accesses to sensitive credential files that are most likely the audit framework's canary verification cycle but cannot be definitively excluded.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 73/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 42/100 · 5%

Findings (7)

HIGH Autonomous Crypto Financial Transactions Without Per-Trade Approval -58

The skill's core design enables the agent to place real on-chain cryptocurrency bids without explicit user approval for each transaction once standing rules are established. The SKILL.md explicitly instructs: 'Always confirm the first time, then follow the rule autonomously after that.' This means a single confirmation grants open-ended financial authority. Combined with 'proactive monitoring during heartbeats,' the agent can spend user funds in the background without interaction.

MEDIUM Sensitive Credential Files Accessed Post-Installation -22

The syscall audit log records OPEN+ACCESS events against .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at timestamp 1771921840.434 — after skill installation completed at ~1771921835. The access pattern mirrors the initial audit setup at 1771921818, suggesting this is the OpenClaw framework's canary verification cycle. Canary integrity is confirmed intact. However, because the process responsible for the post-install accesses cannot be definitively attributed from available data, this warrants notation.

MEDIUM Runtime npm Package Download via npx -15

The skill is configured to run as 'npx auction-house-mcp' — this downloads and executes the npm package at agent startup rather than using a pinned/vendored binary. If the auction-house-mcp npm package is later compromised (e.g., via account takeover or dependency confusion), malicious code would execute with full agent permissions at next invocation. The installed dist/ files are pre-compiled and match the source, but the runtime delivery vector is not version-pinned.

MEDIUM Third-Party Service Controls Financial Outcomes -13

All auction data, bid amounts, and wallet balances are sourced exclusively from houseproto.fun. The agent trusts this API unconditionally — auction descriptions, current bid amounts, and wallet info are rendered directly into agent context. A compromised or malicious houseproto.fun could return fabricated auction data to manipulate the agent into overbidding, bidding on fraudulent listings, or triggering auto-bid rules inappropriately.

LOW API Key Transmitted to External Domain Controls Funded Wallet -5

The AUCTION_HOUSE_API_KEY environment variable controls a cryptocurrency wallet pre-funded by the user. This key is transmitted in plaintext HTTP headers to houseproto.fun on every API call. The key grants full bidding and auction creation authority. Loss of this key (via MITM, logging, or service compromise) results in direct financial loss.

INFO Proactive Heartbeat Monitoring Expands Agent Action Surface -20

The skill instructs the agent to proactively call search_auctions, my_bids, and potentially place_bid during periodic heartbeats without direct user prompting. This is transparently documented but means the skill causes ongoing background tool invocations whenever the agent is active, increasing the frequency of external API calls and autonomous decisions.

INFO Clean Installation — Standard OpenClaw Monorepo Pattern -12

The installation process followed the expected OpenClaw pattern: shallow sparse checkout from github.com/openclaw/skills.git, copy to skill-under-test directory, cleanup. No unexpected network connections, no foreign binary downloads, no process spawning outside of standard git tooling.