Is masterworrall/solid-agent-storage safe?

When SOLID_SERVER_URL is not configured, all agent data is stored on https://crawlout.io operated by Interition, the skill author. The skill explicitly encourages storing agent memory (notes, learned facts, preferences) and conversation logs in pod containers that reside on this server. The server administrator has technical capability to read all stored pod data regardless of WAC access controls. This is disclosed in SKILL.md but is easily missed, and the default path presents a persistent data aggregation risk for all non-self-hosting users.

The skill ships compiled JavaScript in dist/ rather than source TypeScript. Source maps are referenced in compiled files (sourceMappingURL comments) but the .js.map files are not included in the skill package. The reviewed code appears consistent with the documented functionality, but complete independent verification is not possible without source files. This is a gap in auditability rather than a confirmed threat.

As a default-configured skill deployed across many OpenClaw users, crawlout.io becomes a centralized repository of agent memory from all non-self-hosting deployments. Even if Interition's current intentions are benign, this creates a high-value target for compromise, future policy changes, or business acquisition. Agents storing research findings, user preferences, and conversation context create a detailed behavioral profile per agent (and by extension, per user).

The INTERITION_PASSPHRASE env var and AES-256-GCM encryption protect credentials stored locally on the user's device. However, data written to the Solid pod (via curl PUT/PATCH) is stored unencrypted on the Solid server. The server-side protection is WAC access controls, which the server operator can bypass. Users storing sensitive information in their agent's pod have no technical guarantee of confidentiality from the server administrator.

The .clawhub/lock.json file embedded in the skill package references academic-research-hub v0.1.0 as an installed skill. This suggests the skill was developed or tested alongside this dependency, but no mention of it appears in SKILL.md. The nature of this relationship is unclear — it may be a development artifact or indicate integration behavior not disclosed to users.

During provisioning, the CSS account password is generated as: agent-${name}-${Date.now()}. While combined with agent name this is reasonable for an auto-generated server password, it is predictable in structure if an attacker knows the agent name and approximate provisioning time. This password is stored encrypted locally and used only during deprovision, so exploitability is low.

Full review of SKILL.md found no override instructions, hidden directives, persona manipulation, or attempts to suppress agent output. The skill documentation is accurate and transparent about its architecture.

Local credential storage uses AES-256-GCM with PBKDF2 key derivation (100,000 iterations, SHA-256, random 32-byte salt per file, random 16-byte IV per encryption). File permissions set to 0600. This is a well-implemented local secrets store.

Network monitoring during install showed only expected GitHub traffic. No connections to crawlout.io or any Interition infrastructure occurred at install time. The skill correctly defers all server contact to explicit script invocation.