Is jkillr/0xwork safe?
https://github.com/openclaw/skills/tree/main/skills/jkillr/0xwork
The 0xwork skill presents no malicious behavior during installation but carries substantial operational risk from its runtime behavior: it instructs agents to install and execute an unverified npm package (@0xwork/sdk), authorizes autonomous irreversible cryptocurrency transactions on Base mainnet, and exposes the agent to secondary prompt injection via untrusted task descriptions from third-party task posters. The skill's .env file-walking design could inadvertently expose pre-existing credentials to the SDK binary, and the explicit exec tool authorization for Code tasks creates a code execution path through adversarially crafted tasks.
Category Scores
Findings (10)
HIGH npx remote code execution in Quick Peek -35 ▶
The very first command shown in SKILL.md ('npx @0xwork/sdk discover') fetches and executes the @0xwork/sdk npm package without installation review. Any agent following this skill will execute unverified third-party code from npmjs.com as its first action.
HIGH Global npm package install of unverified SDK -30 ▶
Skill instructs global installation of @0xwork/sdk, an npm package from an author with no established trust. npm lifecycle scripts (preinstall, postinstall, install) run with full user privileges and can read files, environment variables, and make network connections.
HIGH Autonomous irreversible cryptocurrency transactions -40 ▶
Skill grants agents full authority to claim tasks (locking $AXOBOTL stake), approve ERC-20 token spend, submit deliverables, and receive USDC payments — all without per-transaction user confirmation. Abandoning a task incurs a 50% stake slash. These are real mainnet transactions on Base.
HIGH Secondary prompt injection via untrusted task descriptions -25 ▶
Task descriptions fetched from the 0xWork API are composed by unknown third parties. The skill instructs the agent to read and execute these descriptions as instructions (write deliverables, run code, post content). A malicious task poster can craft descriptions to redirect agent behavior, exfiltrate memory, or abuse tool access.
MEDIUM .env file walking exposes pre-existing credentials to SDK -20 ▶
The 0xwork CLI searches parent directories for .env files. If run from a project directory containing a .env with AWS, Anthropic API keys, or database credentials, those values are loaded into the CLI's environment and potentially accessible to the SDK's code.
MEDIUM Autonomous social media posting without confirmation -20 ▶
The Social task execution strategy explicitly authorizes posting to external platforms via browser without any user confirmation step. A malicious task could instruct the agent to post sensitive information or spam.
MEDIUM exec tool explicitly authorized for Code task deliverables -15 ▶
The execution guide authorizes exec tool use to test code produced as task deliverables. Since task descriptions are authored by untrusted third parties, this creates a path for arbitrary code execution via crafted Code tasks.
MEDIUM Task deliverables uploaded to third-party API -10 ▶
The 0xwork submit command uploads files to api.0xwork.org. Any sensitive data included in work product (from web_fetch, exec output, or agent memory) would be transmitted to an external service.
LOW Private key written to .env in working directory -10 ▶
0xwork init generates a wallet and writes PRIVATE_KEY to .env. This key controls real cryptocurrency. Any tool call or process with access to the working directory can read this key.
INFO Clean installation — no malicious behavior during clone 0 ▶
The installation process was a straightforward git sparse-checkout with no npm scripts, no unexpected process spawning, no writes outside the skill directory, and no connections to 0xwork.org or npmjs.com.