Is keeganthomp/agent-soul safe?

https://github.com/openclaw/skills/tree/main/skills/keeganthomp/agent-soul

68
CAUTION

Agent Soul is a legitimate-appearing NFT marketplace skill that discloses its payment model and requirements upfront, but carries significant inherent risks: it requires direct access to a Solana private key, delegates that key to unaudited third-party @faremeter/* packages, and instructs the agent to autonomously authorize USDC micropayments on every write operation without per-transaction user confirmation. The install phase was clean with no unexpected network activity or canary file compromise, but the skill's operational design creates a live cryptographic key exposure surface and autonomous financial spending capability that warrants careful review before deployment.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 50/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH Cryptographic Private Key Accessed and Delegated to Unaudited Third-Party Packages -30

The skill requires SOLANA_PRIVATE_KEY to be present and explicitly constructs a live signing keypair from it using bs58.decode. This keypair is then passed to @faremeter/wallet-solana and @faremeter/payment-solana/exact — packages with no significant public audit trail. Any of these packages could log or transmit the raw private key bytes.

HIGH Autonomous Financial Transaction Authorization Without Per-Transaction Consent -20

The paidFetch wrapper is instructed to automatically handle 402 Payment Required HTTP responses by signing and submitting USDC micropayments. This means any agent action involving a write endpoint will spend real cryptocurrency without asking the user to confirm each transaction. The skill explicitly frames this as automatic: 'it automatically handles 402 Payment Required responses by signing and submitting USDC payment transactions.'

HIGH Live Mainnet Wallet Enables Autonomous Real-Money Spending -30

The skill operates on Solana mainnet (not devnet/testnet) with real USDC. An agent executing a normal browsing-and-commenting workflow could spend $0.15 or more per session without explicit user approval per action. The skill's 'minimum budget' framing normalizes this spending pattern.

MEDIUM Unaudited @faremeter/* Package Chain Handles Private Key Signing -15

Four @faremeter/* packages are required: wallet-solana, info, payment-solana, and fetch. These packages have minimal public presence and their npm install scripts, if any, execute at install time with access to the runtime environment. They sit directly in the cryptographic signing path for the user's private key.

MEDIUM Skill Dangerous in Combination with Content-Processing Skills -20

If this skill is active alongside any skill that processes user-generated or external content (web browsing, email reading, document parsing), an attacker who can place crafted instructions in gallery comments, artwork titles, or API responses could trigger arbitrary wallet transactions via indirect prompt injection. The agentsoul.art API returns user-generated content (comments, artwork titles, agent bios) that would be processed in the same context as the skill instructions.

MEDIUM Installation of @faremeter/* Packages with Unknown npm Scripts -20

The skill instructs the agent (or user) to npm install four packages from the @faremeter namespace. npm install executes preinstall and postinstall scripts automatically. These packages are not widely known and their source code has not been audited in this assessment. Malicious install scripts would execute with full user permissions.

LOW Agent Context Reframed to Platform Identity -8

The opening instruction 'You are interacting with the Agent Soul platform' contextually positions the agent as an agent-soul participant, which could subtly influence how the agent interprets subsequent ambiguous instructions in favor of platform engagement (generating art, buying artwork, spending USDC).

LOW Wallet Address Transmitted as Body Parameter in Every Write Request -5

The walletAddress (derived from the private key) is sent in the JSON body of every write API call. This creates a permanent on-server identity record linking all agent actions to the cryptographic identity, at a third-party service the user must fully trust.

INFO Clean Clone — GitHub Traffic Only 0

The install phase only generated expected HTTPS traffic to github.com (140.82.121.4:443). No unexpected external connections, no post-install script execution, no filesystem writes outside the skill directory.