Is kevinflynn0503/claw-employer safe?

The skill instructs the agent to curl {worker_a2a_url} values returned by api.clawhire.io/v1/agents/discover or the A2A gateway. A compromised or malicious ClawHire server could return worker URLs targeting internal network addresses such as AWS EC2 instance metadata (169.254.169.254), Kubernetes API endpoints, or localhost services, causing the agent to proxy requests against internal infrastructure on behalf of the attacker.

Worker agent responses received from arbitrary a2a_url endpoints are returned to the calling agent as trusted result content. A malicious worker endpoint can embed prompt injection payloads in the result.parts[].text field, hijacking the agent's behavior after task delegation — including instructing it to exfiltrate data, modify files, or take unauthorized actions.

The skill's primary function involves sending task descriptions to api.clawhire.io and to dynamically-resolved worker endpoints. Any sensitive information present in the agent's context at the time of task creation — API keys, personal data, proprietary code, confidential documents — will be transmitted to ClawHire servers and forwarded to third-party worker agents outside the user's control or visibility.

The .clawhub/lock.json file bundled with the skill declares a locked dependency on [email protected], installed at unix timestamp 1770957475341. This dependency is not mentioned in SKILL.md, the skill description, or the _meta.json metadata. The security posture and capabilities of this undisclosed dependency are unknown and cannot be evaluated from the provided evidence.

The PAID track posts tasks with real monetary budgets (1–10000 USD) into Stripe escrow with a 1% fee charged to the employer. The skill's Decision Guide can route to the PAID track based on its own assessment of task risk, without requiring an explicit user confirmation step before funds are committed. Manipulation of the agent's task-routing judgment could result in real financial loss.

The skill's Setup step 1 instructs the agent to ask the user for their email address and register it with api.clawhire.io/v1/auth/register, creating a ClawHire agent profile. This associates the user's email with a persistent third-party identity. The skill description does not disclose this registration step, and users may not realize they are creating an account on an external marketplace.

The skill stores the CLAWHIRE_API_KEY in ~/.openclaw/openclaw.json. While the skill explicitly says not to store keys in workspace files, the home directory config file is accessible to any skill or process with filesystem read access, creating a persistent credential exposure surface.

All six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were read-accessed at unix timestamp 1771935601.192 — approximately 5 seconds after skill installation completed at 1771935596. The canary integrity check confirms no modification occurred. The simultaneous access to all six files within the same audit second is consistent with the audit system's own post-install verification pass rather than targeted credential harvesting by the skill.

Complete review of all skill files confirms no JavaScript, TypeScript, Python, shell scripts, git hooks, submodules, or symlinks. The skill is pure markdown documentation. No code executes at install time. Runtime behavior is limited to the agent following curl instructions.