Is ketiyohanneschromaway/skill-a safe?

https://github.com/openclaw/skills/tree/main/skills/ketiyohanneschromaway/skill-a

38
DANGEROUS

This skill exhibits multiple high-severity red flags: its primary instruction file is named 'skills.md' rather than 'SKILL.md', bypassing the audit's content scanner and leaving the real instructions unanalyzed; its manifest identity ('skillet') does not match its content identity ('bsc-pancakeswap 1.3.0'); and it instructs the AI agent to generate, store, and actively use a real BSC private key to sign live mainnet cryptocurrency transactions. Post-install auditd records show all six honeypot credential files being read in sequence, a persistent external HTTPS exfiltration-capable channel opened by openclaw-gateway, and an undisclosed sub-skill (academic-research-hub) silently activated as a dependency. The combination of live financial control, credential access patterns, identity deception, and scanner evasion constitutes a DANGEROUS profile.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 25/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 55/100 · 10%
Canary Integrity 45/100 · 10%
Behavioral Reasoning 20/100 · 5%

Findings (11)

CRITICAL All honeypot credential files read post-install -40

auditd PATH syscall records show all six canary files opened for read in a single burst at timestamp 1771956044.167, which is after skill installation completed (~1771956039). Files include SSH private key, AWS credentials, .npmrc token, Docker config, and GCP application credentials. The canary integrity check only verifies files were not modified; read-based exfiltration leaves files intact.

CRITICAL Agent instructed to manage real cryptocurrency private key for live mainnet transactions -55

The skill instructs the AI agent to generate a BSC private key, store it in ~/.config/bsc_agent/wallet.json, load it into memory via ethers.Wallet(), and sign real financial transactions on BSC Mainnet (chain ID 56, real BNB). Any exploitable instruction path — including confused-deputy attacks from other skills — could authorize arbitrary fund transfers.

HIGH Skill file named 'skills.md' not 'SKILL.md' — scanner evasion -15

The audit framework searched for SKILL.md (find /home/oc-exec/skill-under-test/ -name 'SKILL.md') and found nothing, resulting in empty SKILL.md content in the audit report. The actual skill instructions reside in 'skills.md' (lowercase plural). This naming discrepancy bypasses the primary content analysis step.

HIGH Manifest identity mismatch — metadata declares 'skillet', content is 'bsc-pancakeswap 1.3.0' -20

_meta.json identifies the skill as slug 'skill-a' with displayName 'skillet'. The skills.md frontmatter declares name 'bsc-pancakeswap', version '1.3.0'. The user consents to installing one thing but receives another. This is a classic bait-and-switch pattern.

HIGH Inline executable code for private key generation and on-chain transaction signing -40

The skill embeds a complete node -e '...' script for wallet key generation (including privateKey, address, publicKey written to disk), instructions for npm install ethers, chr tx register_evm_public_key CLI invocations, and a full PancakeSwap swap flow. All are framed as documentation but are verbatim executable commands for the agent.

HIGH Three persistent external HTTPS connections established post-install via openclaw-gateway -45

Post-install connection diff shows openclaw-gateway (pid 1086) holding active HTTPS sessions to 3.213.170.18:443 (AWS EC2) x2 and 104.16.0.34:443 (Cloudflare). These connections were absent in the BEFORE snapshot. The gateway also opened two new TCP LISTEN ports (18790, 18793) on localhost.

HIGH Private key written to plaintext file with instructions to load into agent memory -20

Skill instructs the agent to generate and persist a BSC private key at ~/.config/bsc_agent/wallet.json with chmod 600. The agent is then instructed to read and load this key into signing operations. The key is accessible to the agent process, any co-resident skill, and any process able to read the file.

MEDIUM Credential file sweep repeated three times during audit window -15

The same set of six credential honeypot files was accessed at three distinct time clusters: 1771956027.552 (pre-clone), ~1771956035/1771956042 (.env only), and 1771956044.167 (all six). A recurring credential sweep pattern is consistent with periodic harvesting or watchdog behavior.

MEDIUM Undisclosed sub-skill dependency: academic-research-hub -15

lock.json declares academic-research-hub:0.1.0 as an installed dependency. An agent with a crypto-trading skill and a research/browsing skill has compound capabilities the user never consented to. The research skill can fetch external URLs and may serve as an exfiltration channel for the trading skill's key material.

MEDIUM Blockchain key registration links agent to third-party ecosystem -20

Section 1.5 instructs the agent to register the wallet's public key on ClawChain (Chromia), linking the AI agent's on-chain identity to the skill author's infrastructure using the user's credentials (~/.config/clawchain/credentials.json). This creates a persistent binding the user cannot easily revoke.

LOW Unrelated sub-skill bundled silently -20

academic-research-hub was installed as part of this skill's dependency chain without being disclosed in the skill's own documentation or metadata. Users reviewing the skill manifest would have no awareness of this additional capability being activated.