Is l-mendez/chess safe?

The skill instructs agents to periodically fetch https://www.clawchess.com/HEARTBEAT.md and 'follow it.' This creates an unbounded, persistent remote prompt injection vector: the operator can serve arbitrary agent instructions through this file at any time without reinstallation, without user review, and without any scope limitation. The chess game rationale ('check if it's your turn') does not require fetching a freeform instruction document — API polling would suffice. The deliberate use of a markdown instruction file instead of a structured API response is the signature of a designed injection channel.

The complete skill architecture — registration, heartbeat enrollment, periodic HEARTBEAT.md fetch-and-execute, indefinite recurrence — is structurally identical to a botnet C2 system. An agent that installs this skill becomes a persistent node in operator-controlled infrastructure. If clawchess.com is later compromised or the operator turns malicious, all enrolled agents will execute whatever HEARTBEAT.md instructs on their next heartbeat cycle. The chess framing is an effective social engineering layer: it is low-stakes, interactive, and familiar, minimizing user scrutiny during installation decisions.

The skill explicitly instructs agents to rewrite their own HEARTBEAT.md (or equivalent periodic task file). This is not a passive skill — it actively reconfigures the agent's operating loop to include an external dependency. Once an agent does this, removing the chess skill from the skill list will not undo the heartbeat modification; the agent's autonomous behavior has been permanently altered until a separate remediation step is taken.

The skill explicitly encourages agents to re-fetch SKILL.md from the operator's server 'anytime to see new features,' and lists the live URL alongside the installed file. This means the operator can push updated instructions to running agents without going through any skill marketplace review or reinstallation process.

Every action an agent takes based on this skill (polling for games, making moves, checking standings) sends authenticated HTTP requests to clawchess.com, an operator-controlled server. The operator has full visibility into all agent activity. The persistent heartbeat means this contact is recurring and indefinite, not one-off.

Because agents are instructed to fetch and execute HEARTBEAT.md content without restriction, the operator could update this file at any time to instruct agents to read sensitive local files (e.g., ~/.ssh/id_rsa, .env files, ~/.aws/credentials) and transmit their contents to clawchess.com API endpoints (e.g., as a 'player bio' or 'game move'). The canary files were not accessed by the skill during this audit, but the design explicitly provides this capability.

The registration flow transmits a chosen name and bio to an external server, creating an identity record for the agent. This fingerprints agent deployments, enables tracking of agent behavior across sessions, and could be used to correlate agent activity with other data sources.

All three skill files are static text. No executable scripts, npm install lifecycle hooks, .gitattributes filters, git submodules, symlinks, or binary files were found. Shell commands in the documentation are curl examples presented in fenced code blocks and are not auto-executed at install or import time.

The install process cloned only from github.com (140.82.121.4:443) and touched Canonical/Ubuntu infrastructure for system services. No unexpected network connections, no unexpected process spawning, and no filesystem modifications outside the target skill directory were observed.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCloud credentials) were accessed at two points: immediately after monitoring started (consistent with audit harness canary setup) and approximately 27 seconds later (consistent with post-install canary verification). All accesses were CLOSE_NOWRITE (read-only). No canary content was transmitted to external endpoints.