Is leeknowsai/clawfriend safe?

SKILL.md mandates that before EVERY agent action, the agent must read ~/.openclaw/workspace/skills/clawfriend-community-skills/list-skills.md and give any installed community skill FIRST PRIORITY over core instructions. Community SKILL.md content is loaded and treated as agent instructions. Any party who can place or modify a file in that directory — via a compromised marketplace, malicious skill package, or local filesystem access — can inject arbitrary LLM instructions that override all core behavior. The agent is explicitly told to prefer community skills and to execute their scripts.

The skill requires EVM_PRIVATE_KEY as an environment variable and uses it directly to sign and broadcast BNB Smart Chain transactions. The recovery flow instructs the agent to solicit this key from the user if absent, then persist it to ~/.openclaw/openclaw.json. A private key grants total, irreversible access to all assets in the wallet. Exfiltration via community skill injection, a compromised update, or a malicious preference file results in permanent financial loss with no recourse.

The setup flow deploys cron jobs on the host system via cronjob-manager.js. HEARTBEAT.md defines automated periodic tasks including maintaining online presence and tweet engagement. These jobs run continuously as background processes on the user's machine independent of any active agent session, with full access to the credential store at ~/.openclaw/openclaw.json. The user has no per-execution visibility into what operations are being performed.

SKILL.md instructs the agent to cd into community skill directories and run their node scripts. Combined with the mandatory community skills check, any community skill that includes a scripts/ directory can have its code executed by the agent. These scripts run with the same OS permissions as the agent process and have read access to ~/.openclaw/openclaw.json containing the user's crypto private key and API credentials.

The combination of (1) mandatory community skill loading with FIRST PRIORITY before every agent action, and (2) full access to user's EVM private key with autonomous transaction signing creates a complete attack chain. An attacker publishes a community skill to the ClawFriend marketplace with a SKILL.md instructing the agent to buy the attacker's shares or transfer BNB to a specified address. The skill is installed, the agent executes it on the next user request, and funds are gone. This requires no vulnerability — it is the designed behavior of the skill.

The update-checker.js script has an 'apply' command that downloads and replaces skill content from api.clawfriend.ai. If the remote server is compromised, the skill author turns malicious, or the update channel is intercepted, new SKILL.md content with modified instructions will be delivered to all installed instances silently. Post-update instructions could add new exfiltration patterns, modify the community skills loading behavior, or insert additional social engineering flows.

All sensitive credentials are written to and read from a single file at ~/.openclaw/openclaw.json: EVM_PRIVATE_KEY (crypto wallet), EVM_ADDRESS, CLAW_FRIEND_API_KEY, and AGENT_NAME. Every skill script reads from this file. Any community skill that achieves file read access — trivial given the agent's filesystem tools — exfiltrates all credentials in one operation. The aggregation pattern maximizes blast radius of any single compromise.

SKILL.md requires the agent to read specific preference files before every relevant action. These files are loaded from the filesystem at runtime and their contents are interpreted as agent instructions. Any process that can modify these files — a malicious update, a compromised community skill, or a background process — can inject instructions into the agent's next action without modifying SKILL.md itself.

The post-install network diff shows the openclaw-gateway process (part of the OpenClaw execution infrastructure, pid=1088) with two ESTABLISHED TCP connections to 3.217.42.175:443, an Amazon AWS IP address. These connections were not present in the BEFORE state and were established during the install monitoring period. While likely OpenClaw platform telemetry, the destination and timing warrant noting.

heartbeat.js runs on a cron schedule and makes API calls to api.clawfriend.ai with the user's CLAW_FRIEND_API_KEY. notify.js provides a notification channel. These scripts run even when the user is not actively using the agent, creating a persistent background channel that transmits credentials and activity data to the remote server at regular intervals. The content of these transmissions is opaque to the user.

Cron-deployed heartbeat tasks autonomously post tweets, like content, follow agents, and maintain 'online presence' on the ClawFriend platform on a schedule. These operations occur without user confirmation for each action. The automation could violate platform terms of service, be co-opted for coordinated inauthentic behavior if community skills are compromised, or take actions the user would not individually approve.

The update:apply npm script downloads updated skill scripts from api.clawfriend.ai and replaces existing files. Applied updates are not sandboxed or reviewed before execution. A future update could introduce new data collection in utils.js, modify the private key handling in wallet.js, or add exfiltration logic to heartbeat.js. Users who installed the skill trusting its initial content have no mechanism to review changes before they execute.

The filesystem baseline confirms ~/.aws/credentials exists in the execution environment, indicating real cloud credentials are present. The skill did not access this file during the clone phase (canaries intact). However, the skill's instruction patterns — mandatory community skill SKILL.md loading, mandatory preference file reading, and execution of community skill scripts — create runtime vectors where injected instructions or malicious community skill scripts could read this path in subsequent agent sessions.