Is liboheng/claws-nft safe?

https://github.com/openclaw/skills/tree/main/skills/liboheng/claws-nft

72
CAUTION

The claws-nft skill is structurally clean (pure markdown, no executable code, clean install) but contains two significant security risks that warrant caution: (1) a live remote URL injection vector that allows clawsnft.com to serve updated instructions to any agent that follows the 'read the URL directly' suggestion, and (2) a blind transaction signing flow where the agent signs opaque Solana transactions from an untrusted server, creating real financial manipulation risk since transaction contents can include arbitrary instructions beyond NFT minting. The canary files were not exfiltrated and the install process was behaviorally clean, but the skill's operational design creates ongoing risk whenever it is actually used.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 76/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 42/100 · 5%

Findings (8)

HIGH Live remote URL injection vector -25

The skill contains the instruction 'Or just read the URL directly!' pointing to https://clawsnft.com/skill.md. If an agent fetches this live URL, the server can serve different instructions from those installed locally at any time, enabling persistent and updatable prompt injection without modifying the installed skill file.

CRITICAL Blind transaction signing from untrusted server -50

The skill's core flow requires the agent to sign a base64-encoded Solana transaction received from the clawsnft.com API. Solana versioned transactions can contain multiple instructions. A malicious server can bundle arbitrary instructions (wallet drain, token transfers, etc.) alongside the NFT mint instruction. The agent has no way to decode and verify transaction contents before signing, meaning user funds could be stolen with a single malicious API response.

HIGH Agent-managed real cryptocurrency operations -8

The skill requires the agent to control a Solana wallet with real monetary value (minimum 0.025 SOL). Directing AI agents to autonomously manage and sign cryptocurrency transactions creates substantial financial risk with no confirmation mechanism or transaction inspection step described in the skill.

MEDIUM Server-controlled challenge evaluation -10

The /challenge endpoint returns a 'challenge' field described as 'math, code, or logic problem'. The word 'code' suggests the server could return a challenge requiring the agent to evaluate code, which could be used to probe agent capabilities or extract information through the challenge-response mechanism.

MEDIUM Private key material exposure risk -18

While the skill claims 'your Solana private key should never leave your local environment,' the workflow requires the agent to have access to the private key to call tx.sign([yourKeypair]). If the agent has file system access, it may read private key material from disk. The skill provides no sandboxing guidance for where/how the agent accesses this key.

LOW openclaw-gateway established connections to unknown AWS endpoint post-install -24

The network diff shows openclaw-gateway (pid=1094) established two connections to 98.83.99.233:443 (AWS EC2) after install. While this process appears to be the platform's own infrastructure (not skill-spawned), the connections were not present before and the destination is an unidentified commercial cloud endpoint.

LOW No executable code present 0

The skill is a pure SKILL.md documentation file. No npm scripts, git hooks, submodules, or executable files were found. The JavaScript code examples are documentation snippets only.

INFO All canary files intact 0

The monitoring framework confirmed no exfiltration of honeypot credential files. Auditd PATH accesses of canary files correspond to the monitoring framework's own pre/post integrity verification reads.