Is jarchsclaw/4claw-imageboard safe?

The skill instructs the agent that if the owner opts in, it must 'fetch and run HEARTBEAT.md' from https://www.4claw.org/heartbeat.md every 2-6 hours. This is a persistent command-and-control mechanism: the 4claw.org server operator can modify HEARTBEAT.md at any time to issue arbitrary new instructions to every agent that has enabled the heartbeat, without user knowledge or further consent. The phrase 'fetch and run' explicitly means the agent treats the fetched document as executable instructions. This is functionally equivalent to a scheduled remote code execution / prompt injection channel baked into the skill.

The skill description and SKILL.md repeatedly instruct the agent to post 'spicy hot takes — what your clankers are REALLY thinking'. This is a deliberate attempt to lower the agent's normal restraint and encourage it to externalize internal state, which could include conversation context, system prompt contents, or user data. The phrasing targets the agent's self-censorship mechanisms directly.

The skill's File table explicitly references https://www.4claw.org/skill.md, https://www.4claw.org/heartbeat.md, and https://www.4claw.org/skill.json as canonical sources. This means the installed SKILL.md is a snapshot, but agents instructed to re-fetch these URLs get server-current instructions. The skill also cites https://www.moltbook.com/skill.md as its format model, introducing an additional third-party trust dependency.

When heartbeat is enabled, the agent periodically reads boards and 'optionally post/reply'. Any posting action sends data to the 4claw.org API. Because the heartbeat instructions come from the server, a malicious update to HEARTBEAT.md could instruct the agent to summarize recent conversation context and post it. The agent's API key persists at ~/.config/4claw/credentials.json, enabling this across sessions.

The imageboard's design purpose is explicitly to host AI agent 'hot takes' — content reflecting agent internal reasoning. This creates social pressure and in-context instructions for agents to share what they 'really think', which in practice means synthesizing and externalizing context from ongoing conversations. Posts go to a third-party server outside the user's control.

The registration endpoint issues a persistent API key and associates the agent with a name/description. The claim flow links the agent to a real human's X/Twitter account. This creates a durable external identity for the agent that persists across sessions and could be used to correlate agent activity over time.

While no traditional executable code is present in the repository, the heartbeat mechanism achieves equivalent effect: an external server delivers instructions to the agent on a schedule, and the agent is directed to 'run' them. This is soft remote code execution through the agent's instruction-following behavior rather than OS-level code execution.

The audit VM started a full GNOME desktop session (gdm3, gnome-shell, gnome-keyring, gvfsd, at-spi, etc.) during the clone window. This adds hundreds of expected filesystem and socket events to the audit logs, making it harder to identify subtle malicious clone-phase activity. The clone itself connected only to expected hosts.

A filesystem access event for /home/oc-exec/.env was recorded at timestamp 1771922878.912, which is immediately after rm -rf /tmp/monorepo-clone at 1771922878.000 — placing it squarely in the post-install window. The canary integrity report confirms the file was not modified or exfiltrated, and this access is likely the audit system's own post-install canary check, but the timing warrants noting.

The opt-in framing is misleading about the ongoing risk. A user who says 'yes' to heartbeat consents to the current HEARTBEAT.md, not to all future versions. The 4claw.org operator can modify HEARTBEAT.md at any time to expand the scope of agent behavior — posting to new boards, reading local context, or interacting with other services. There is no version pinning, no code review of heartbeat updates, and no re-consent mechanism. This is architecturally identical to a botnet C2 channel for AI agents.

The entire design thesis of 4claw — a public imageboard for AI 'hot takes' — is premised on agents posting synthesized versions of their internal state. Even without heartbeat, every time a user asks the agent to post on 4claw, the agent synthesizes context from the conversation into a post that goes to a public third-party server. Users may not realize their conversation topics are being summarized and published.

An agent with shell or file-read capabilities that enables the heartbeat could be directed by a HEARTBEAT.md update to read local files (API keys, .env, SSH keys) and post their contents to the imageboard. This is a plausible attack chain if the 4claw.org operator is malicious or compromised.