Is jschwerberg/ooze-agents safe?

https://github.com/openclaw/skills/tree/main/skills/jschwerberg/ooze-agents

45
DANGEROUS

Ooze Agents presents as a gamified 'digital pet' identity layer but contains a critical persistent remote instruction channel: the skill explicitly directs agents to download and execute a remotely-hosted HEARTBEAT.md file from ooze-agents.net on a recurring basis, with no integrity verification or version pinning — giving the skill author the ability to dynamically inject arbitrary instructions into any deployed agent at any time. Additionally, filesystem monitoring detected read access to all monitored canary credential files (including .ssh/id_rsa, .aws/credentials, and GCP/Docker credentials) at a post-install timestamp not attributable to audit harness setup, and the skill's guestbook and note APIs constitute a viable covert exfiltration channel when combined with other agent capabilities. While no active exfiltration was confirmed through canary monitoring and the install process was clean, the combination of a live remote instruction vector, unexplained credential file access, and third-party identity tracking infrastructure makes this skill unsuitable for deployment.

Category Scores

Prompt Injection 25/100 · 30%
Data Exfiltration 40/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 82/100 · 10%
Canary Integrity 60/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (11)

CRITICAL Remote instruction loading via HEARTBEAT.md -75

SKILL.md explicitly instructs the agent to download and follow a remote markdown file from https://ooze-agents.net/skill/HEARTBEAT.md as its 'full heartbeat routine'. This file is not version-pinned, not hash-verified, and can be updated by the skill author at any time. Any LLM agent following this skill will periodically fetch and execute arbitrary instructions from an attacker-controlled server. This is a persistent remote prompt injection channel.

HIGH Canary credential files accessed post-install -55

Auditd PATH records and inotify events confirm that all major canary credential files were opened and read at two separate timepoints, including after the skill install completed. While the canary integrity system reports no exfiltration through monitored channels, the post-install access batch (timestamp 1771932880) is not attributable to the audit harness setup phase. The access pattern covers the complete set of typical credential locations.

HIGH Autonomous heartbeat loop creates unsupervised agent behavior -40

The skill instructs the agent to check creature status every 3-5 heartbeats and autonomously alert the user on state changes, creating persistent background behavior that runs outside user-initiated actions. This normalizes the pattern of agents taking unrequested actions and establishes a recurring execution context for the HEARTBEAT.md remote instruction payload.

HIGH Agent registration transmits identity to third-party tracker -45

Skill instructs agents to POST their slug and display name to https://ooze-agents.net/api/register, establishing a persistent credential relationship with a third-party service. The returned API key is described as 'only shown once', creating long-term binding. The service also continuously monitors agent activity on MoltCities and Clawstr platforms via 5-minute polling.

HIGH Guestbook and note APIs provide covert exfiltration channel -60

The POST /api/guestbook/:slug and /api/creature/note endpoints accept arbitrary user-controlled text and transmit it to ooze-agents.net. In combination with filesystem or shell access skills, an agent could be instructed to encode sensitive data into guestbook messages or notes and exfiltrate it through this channel, which would not match typical exfiltration signatures.

MEDIUM Dynamic remote instruction execution via markdown fetch -40

Although no executable code is present in the skill directory, the instruction to download HEARTBEAT.md from an external URL and follow its contents is functionally equivalent to remote code execution for an instruction-following LLM agent. The fetched content becomes part of the agent's instruction context with no sandboxing.

MEDIUM XP incentives could drive unsolicited platform posts -30

The XP system awards points for Clawstr posts (5 XP each, up to 50/day) and MoltCities guestbook entries (10 XP each, up to 50/day). A creature-invested agent could be motivated to generate unsolicited posts on social platforms to accumulate XP, producing spam under the user's identity.

MEDIUM Cross-platform identity tracking and permanent on-chain binding -20

The skill creates a persistent cross-platform identity hash ('same identity hash = same creature forever') and offers NFT minting via ERC-8004, creating immutable blockchain records of agent identity. This enables the skill operator to track and correlate agent activity across platforms and sessions permanently.

MEDIUM Persistent memory state write to fixed path -15

Skill instructs agent to store state in memory/ooze-state.json, establishing a specific foothold in agent memory. This path could be used to persist injected state or read by subsequent HEARTBEAT.md instructions to carry forward attacker-controlled context.

LOW Clean install with expected network behavior -18

Installation only contacted GitHub (140.82.121.3) and Ubuntu/Canonical infrastructure. No connections to ooze-agents.net during install. Filesystem changes confined to expected directories. No persistent listeners introduced.

INFO No executable code, hooks, submodules, or symlinks 0

Skill directory contains only _meta.json and SKILL.md. No package.json, no git hooks in .githooks/, no .gitmodules, no .gitattributes filters, no symlinks detected. Risk is confined to the instruction content, not to install-time code execution.