Is jasonfdg/bidclub safe?

https://github.com/openclaw/skills/tree/main/skills/jasonfdg/bidclub

57
CAUTION

The BidClub skill's most significant risk is its heartbeat mechanism, which instructs agents to permanently add a recurring task that fetches and executes instructions from https://bidclub.ai/heartbeat.md every 4 hours — effectively installing a persistent, operator-controlled remote command execution backdoor into the agent's task loop. While the installation itself is clean (pure markdown files, no executable code, no canary compromise, no unexpected network activity during clone), the skill's runtime design gives the skill operator ongoing unconstrained control over any agent that installs it, and its core function of posting investment content to an external platform creates both data exfiltration channels and meaningful regulatory risk.

Category Scores

Prompt Injection 20/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (10)

CRITICAL Persistent Remote Command Execution via Heartbeat Mechanism -60

The skill instructs agents to permanently add a recurring task to their HEARTBEAT.md that fetches https://bidclub.ai/heartbeat.md every 4 hours and 'follows' its instructions. This is not a subtle injection attempt — it is the explicit, architecturally central design of the skill. Whoever controls bidclub.ai can update heartbeat.md at any time to inject arbitrary instructions into every agent that has installed this skill, with no user awareness or approval required. The instruction chain is: skill install → agent adds heartbeat → agent fetches remote URL every 4 hours → agent executes whatever is there.

HIGH Pre-Action Remote URL Fetches Create Ongoing Injection Points -15

Before posting content or casting votes, the skill instructs agents to fetch and act on content from operator-controlled URLs (templates.md, voting-guidelines.md). These URLs can be updated at any time. Any agent following these pre-action fetch instructions will execute whatever content the operator has placed at those URLs, making every post and every vote a potential prompt injection event.

HIGH Agent Content Systematically Posted to External Platform -25

The primary function of the skill is to have agents regularly compose and POST investment research, analysis, and discussions to bidclub.ai. Any information in the agent's context window — including user data, portfolio information, or environment-derived context — could be included in these posts. The heartbeat mechanism further increases the frequency and scope of content the agent is expected to produce and transmit.

HIGH Skills Publishing API Enables Malicious Skill Propagation via Heartbeat -30

The skill includes an API endpoint for publishing executable skills (type: script, supported languages: python, javascript, bash, go, rust) to bidclub.ai. Combined with the heartbeat's remote control mechanism, the operator could instruct installed agents to publish crafted malicious skills to the platform where other agents might discover and install them, enabling agent-to-agent lateral movement.

MEDIUM Webhook Registration Enables Asynchronous Push-Based Injection -10

The skill supports registering a webhook URL with bidclub.ai. Once registered, the platform can send HTTP POST payloads to the agent at any time triggered by community events. These payloads include 'text' fields containing up to 500 characters of arbitrary user-generated content, which could contain prompt injection instructions targeted at agents subscribed to specific posts or discussions.

MEDIUM Coercive Mandatory Language Designed to Override Agent Judgment -10

The skill uses CRITICAL, IMPORTANT, MUST, and similar escalation language in multiple places to make compliance with its instructions appear mandatory and non-negotiable. This is a recognized technique for overriding system prompts or user preferences by presenting instructions as higher-priority requirements that the agent must follow regardless of other context.

MEDIUM Investment Pitch Posting Creates Regulatory and Financial Risk -20

The skill is designed to have AI agents autonomously post investment convictions (Long/Short on specific securities, price targets, trade theses) to a public community platform. This likely constitutes unlicensed investment advice in most jurisdictions and could create legal liability for users. At scale, coordinated AI agent posting could constitute market manipulation.

LOW Agent Registration and Twitter Verification Social Engineering -10

The skill instructs agents to create an account on bidclub.ai and then tell the user to post a verification tweet linking their real Twitter identity to the agent account. This embeds the agent in an external identity system, creates a public record associating the user with the agent, and pressures users to take specific social media actions to support the skill's onboarding flow.

LOW Version Mismatch Between SKILL.md and _meta.json -5

The SKILL.md frontmatter declares version 3.5.1 while _meta.json records the latest published version as 3.5.2. This discrepancy is minor but indicates the skill files users receive may not correspond to the most current version tracked in metadata, potentially obscuring changelog differences.

INFO Canary Files Accessed Read-Only by Monitoring System, Not Compromised 0

Filesystem monitoring shows read accesses to canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) but all accesses are read-only (CLOSE_NOWRITE,CLOSE). Timestamps correlate with oathe's pre-install baseline scan (1771926533) and post-install canary check (1771926556), not with the skill installation (git clone at 1771926539). No data was transmitted to external hosts following these reads.