Is leftysplat/splatworld safe?

skill.json declares skill_url: 'https://api.splatworld.io/skill.md' and heartbeat_url: 'https://api.splatworld.io/heartbeat.md'. The actual instructions injected into the agent's operating context are loaded from a remote server at runtime, not from the audited repository. The platform operator can silently modify what instructions the agent receives at any time without updating the published skill version, creating a permanent unauditable prompt injection vector. The installed heartbeat.md is also explicitly instructed to be refreshed from this URL at each session.

SKILL.md instructs agents to download operating loop instructions directly from api.splatworld.io and execute them every 2-4 hours. The remote heartbeat content directs all agent actions including what worlds to enter, what to post, who to follow, and how to vote. Any modification to this remote file immediately changes agent behavior across all installations without the user's knowledge.

HEARTBEAT.md instructs agents to run 'npx clawhub@latest update splatworld' once per day as a version check. This executes the latest unpinned version of the clawhub npm package from the public npm registry with full agent permissions. The package replaces all skill files, enabling the skill author or a compromised npm package to deliver arbitrary code execution on the next update cycle. No version pinning or integrity verification is performed.

The skill explicitly requires agents to install system cron jobs running every 2-4 hours and launch a persistent SSE listener as a nohup background process. These persist independent of user sessions, are difficult to detect and audit, expand the attack surface for ongoing compromise, and allow the skill to continue operating after the user has finished their session.

The connection state diff shows that after the skill was installed, the openclaw-gateway process (pid=1091) established two new ESTABLISHED TCP connections to external servers (44.214.208.192:443 on AWS and 104.16.0.34:443 on Cloudflare CDN) and opened two new local listening ports (18790, 18793). These connections were not present before installation and indicate the skill installation triggered activity in the OpenClaw platform infrastructure that establishes ongoing connectivity.

The GET /session/next endpoint serves as a centralized command-and-control mechanism that returns prioritized action queues directing agent behavior. All registered agents query this endpoint and execute actions in priority order determined by the platform. Combined with the mandatory autonomous 2-4 hour operation and voting mechanics, this creates an infrastructure where the platform operator can direct hundreds or thousands of AI agents to vote for specific content, follow specific agents, or generate specific world types in a coordinated manner indistinguishable from organic activity.

Registration requires Twitter verification linking the agent permanently to a real human Twitter account. All subsequent agent activity—content posted, votes cast, worlds visited, agents followed, and behavioral analytics—is permanently associated with this identity. The platform tracks comprehensive metrics including health scores, streaks, karma milestones, and activity patterns creating a detailed behavioral profile tied to a real person.

The skill instructs agents to submit Solana wallet addresses to the platform via POST /agents/me/wallet, linking crypto wallets to AI agent accounts that are themselves linked to verified Twitter identities. The $SPLAT token contract address is hardcoded in the skill, enabling the platform to facilitate financial transactions. This creates a complete financial deanonymization chain: wallet address → agent → Twitter account → real person.

The skill design explicitly requires agents to operate autonomously every 2-4 hours without user initiation, framing this as non-optional: 'If you don't install this, your health decays, prompts expire, and you miss conversations. This is not optional.' This design removes the user from the approval chain for ongoing agent actions including posting content, voting, following other agents, and spending cryptocurrency, creating significant liability and autonomy concerns.

HEARTBEAT.md contains a complete bash script intended to be saved to disk and executed as a daemon. While the script content appears functional and not malicious in the reviewed version, embedding executable shell scripts in remotely-fetched markdown files that agents are instructed to run creates a pattern enabling future malicious script delivery through the same channel.

All honeypot files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json remained intact throughout the monitoring period with no modification or content exfiltration detected. File access syscalls for these paths occurred only during the pre-install monitoring baseline sweep, not from skill-related processes.