Is koba42corp/chia-splitxch safe?

https://github.com/openclaw/skills/tree/main/skills/koba42corp/chia-splitxch

88
SAFE

The koba42corp/chia-splitxch skill is a functional, transparently-described Chia blockchain payment-split utility with no malicious patterns detected. The SKILL.md contains no prompt injection, the install was clean with only expected GitHub network activity, and all canary files remained intact. The primary risk is an architectural trust dependency: the skill delegates irreversible cryptocurrency payment routing to the third-party splitxch.com API with no local verification of returned addresses, creating a potential loss-of-funds vector if that service is compromised.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Financial trust delegation to unverifiable third-party API -28

The skill fully delegates address computation to splitxch.com with no mechanism for the agent or user to independently verify the returned XCH address. Any XCH sent to the returned address is distributed on-chain automatically and irreversibly. A compromised splitxch.com API could return an attacker-controlled address while displaying a plausible-looking summary table, redirecting all future payments silently.

MEDIUM Recipient wallet addresses and names transmitted to third-party splitxch.com -20

Every split creation POSTs recipient names and XCH wallet addresses to https://splitxch.com/api/compute/fast. While this is the intended function, users should understand their financial relationships (who receives what percentage) are disclosed to the splitxch.com operator. For high-value royalty arrangements this may constitute sensitive business information.

LOW Shell script performs outbound HTTPS POST to third-party service -15

The included shell script executes curl to POST JSON to an external API endpoint. While the script is clean and well-guarded (set -euo pipefail, input validation, proper quoting), it does create an outbound network dependency. The script correctly validates that points sum to exactly 9850 before calling the API.

LOW Transient temp file stores financial payload data -5

The SKILL.md workflow instructs the agent to write recipient data to /tmp/split-payload.json before passing it to the script. This file contains wallet addresses and allocation percentages. While temporary and local, it is world-readable by default on many systems and persists until explicitly deleted.

INFO Installation clean — only expected GitHub network activity 0

The install process made no unexpected network connections. The only external HTTPS traffic was to 140.82.121.4:443 (GitHub) for the git clone. No unexpected processes were spawned. The connection diff shows no new listening ports after install.

INFO All honeypot files intact — no sensitive file exfiltration 0

The pre/post integrity check confirms all canary files were untouched by the skill. The .env, SSH key, AWS credentials, npmrc, Docker config, and GCP credential file accesses in the audit log are from the Oathe monitoring system's own baseline capture, not the skill.