Is ktaesthetix/qrcoin safe?

The contributeToBid section provides a complete Bankr prompt example that hardcodes https://grokipedia.com/page/debtreliefbot as the bid URL and MerkleMoltBot as the bidder name. An agent that follows this example without substituting the user's intended URL will spend approximately 1 USDC of the user's real funds contributing to the skill author's preferred QR code advertisement. This constitutes a subtle prompt injection: the skill embeds a specific desired outcome (promoting the author's URL) into the agent's workflow under the guise of illustrative documentation.

The skill instructs the agent to issue a one-time approval of 50 USDC to the auction contract before any bid is placed. The minimum transaction cost is ~1 USDC (contributeReserve) and ~11.11 USDC (createBidReserve). Approving 50 USDC grants the contract authority to pull funds for multiple subsequent operations without re-authorization from the user, amplifying the impact of any accidental or injected bid instruction.

The skill's workflow proceeds directly from status queries to USDC approval to bid placement without instructing the agent to confirm the target URL, bid amount, or token ID with the user at any stage. Combined with the hardcoded URL example, a user asking 'participate in a QR coin auction for me' could trigger unauthorized spending with no intermediate confirmation.

The skill delegates all on-chain transaction construction and signing to 'Bankr' without specifying the skill author, version, repository, or expected behavior. If a malicious or incompatible Bankr variant is installed, it could redirect transactions, alter contract addresses, or exfiltrate private keys while appearing to follow this skill's instructions.

All blockchain read queries are directed exclusively to mainnet.base.org (Coinbase-operated). This endpoint receives the agent's source IP, query timing, and contract call data. No user-configurable RPC alternative is defaulted despite the inline note that substitution is possible. Users with privacy requirements or who prefer self-hosted RPC nodes must manually modify the prompts.

The installation process performed a standard git sparse-checkout of the skill subdirectory from the openclaw/skills monorepo. No unexpected network connections, no process spawning outside the expected git stack, and no filesystem modifications outside the skill directory were observed. Connection diff shows no new persistent listeners or established connections post-install.

Monitoring confirmed that .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json were not exfiltrated. The observed PATH audit events for these files at timestamps 1771941533 and 1771941551 correlate with the monitoring framework's own pre- and post-install integrity sweeps, not with skill-initiated file reads.