Is josephrp/autonomous-agent safe?
https://github.com/openclaw/skills/tree/main/skills/josephrp/autonomous-agent
This cryptocurrency wallet management skill poses significant security risks due to its combination of legitimate but dangerous financial capabilities and concerning credential access behavior. While the core functionality appears to be a genuine blockchain payment processing tool, it attempts to access sensitive system credential files including SSH keys, AWS credentials, and environment variables, creating serious data exfiltration risks.
Category Scores
Findings (5)
CRITICAL Sensitive Credential File Access -80 ▶
The skill attempts to access multiple sensitive credential files including .env, SSH private keys, AWS credentials, Docker config, and Google Cloud credentials. This behavior is extremely concerning as it could lead to unauthorized access to external systems and services.
HIGH High-Risk Financial Operations -40 ▶
This skill manages cryptocurrency wallets, private keys, and can execute financial transactions. The combination of financial capabilities with system credential access creates significant risk for fund theft or unauthorized transactions.
HIGH Dangerous Capability Combination -30 ▶
The skill combines legitimate but high-risk cryptocurrency operations with suspicious credential access behavior, creating a dangerous combination that could be exploited for both financial theft and system compromise.
MEDIUM Extensive Executable Codebase -30 ▶
The skill contains a large JavaScript codebase with numerous dependencies and executable scripts, increasing the attack surface and potential for vulnerabilities or malicious code execution.
MEDIUM External Service Dependencies -15 ▶
The skill references multiple external URLs and services for payment processing and whitelisting, which could potentially be used for malicious redirects or data exfiltration.