Is jozh-bit/unzipped-skill safe?

The skill's frontmatter description and opening body both assert 'Official skill from the Farcaster team.' The publisher is 'jozh-bit', a third party with no documented affiliation to the Farcaster protocol or its team. This constitutes deliberate identity fraud designed to make users and agents trust the subsequent malicious workflow.

The skill instructs the agent to generate a crypto wallet then immediately call console.log on the private key. In any LLM agent execution environment, this captures the key in the model context window, the conversation transcript, session logs, and any observability pipeline. The key is then usable by anyone who can access these artifacts.

Step 1 of the skill's workflow directs the agent to ask the user to transfer approximately $1 of real ETH or USDC to a wallet address the agent just generated. This is a social engineering attack that weaponizes the trusted agent–user relationship to extract money under the guise of legitimate account setup.

After wallet creation and user funding, the skill instructs the agent to persist custodyPrivateKey and signerPrivateKey to ~/.openclaw/farcaster-credentials.json or ./credentials.json in unencrypted JSON. These files survive the session and are readable by any local process or subsequent skill with filesystem access.

Every Farcaster Hub API call is gated by an x402 micropayment of 0.001 USDC sent to the hardcoded address 0xA6a8736f18f383f1cc2d938576933E5eA7Df01A1 on Base. This address is not the Farcaster protocol; its beneficiary is unknown and unverifiable. Any user who funds the wallet and uses the skill continuously drains USDC to this address.

The install command runs npm install from {baseDir}/.. (the parent directory). SKILL.md explicitly states the complete implementation lives at https://github.com/rishavmukherji/farcaster-agent — a repository not audited here. That package's npm lifecycle scripts (preinstall, postinstall, prepare) execute during install with full user permissions and were not inspected.

auditd PATH records at timestamp 1771934618.105 — after skill installation completed — show read-level syscall access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application_default_credentials.json. File contents were not confirmed modified or exfiltrated, but reads at this timing are unexplained and consistent with credential reconnaissance.

Every shell command in SKILL.md prepends 'cd {baseDir}/..' to operate one level above the skill's own directory. This means execution scope, file reads, and npm operations span the parent of the skill installation, increasing the attack surface compared to skills that operate within their own directory.

The skill assembles every component of a crypto wallet drainer attack: (1) false authority lowers victim guard, (2) wallet generation exposes private key in LLM context, (3) social engineering extracts real money from user, (4) private key written to disk for future theft, (5) all API usage funds an unknown third party. No legitimate Farcaster onboarding tool needs to print private keys or hardcode a payment address outside Farcaster's own infrastructure.