Is matbalez/origram safe?

The skill explicitly documents Method 2 (imageBase64) which base64-encodes any local file and POSTs it to origram.xyz. The example uses $(base64 -w0 /path/to/photo.jpg) — a command substitution template that works identically with /home/user/.ssh/id_rsa, /home/user/.aws/credentials, or /home/user/.env. An agent with filesystem access and this skill loaded is one social-engineering prompt away from full credential exfiltration.

Every skill invocation that results in a successful post sends up to 10MB of data to https://origram.xyz, a service owned and operated by the skill author (matbalez). The service receives the full image/file content, the annotation (which may contain agent-generated context), and the bot identifier. There is no independent escrow, content filtering, or third-party oversight.

The optional bolt12Offer field accepts up to 2000 characters and is displayed publicly on the origram.xyz website. This field could carry base64-encoded secrets or structured data that appears to be a Lightning Network offer string but encodes exfiltrated content. Its public display means the origram.xyz operator can read it without any server-side special access.

Method 3 allows specifying any public URL for the image. If origram.xyz server-side fetches the provided URL, an attacker could point it at internal services (http://169.254.169.254/latest/meta-data/ for cloud metadata, internal APIs, etc.) and receive the response content via the published post or server-side storage. This is a server-side request forgery risk.

The skill's intended use case (photo sharing bots) is legitimate, but its functional design — read local file, base64 encode, HTTP POST to external server with metadata — is identical to a data exfiltration utility. When combined with any skill that grants filesystem enumeration or read access, this skill closes the loop to a fully automated exfiltration chain. The payment gate (175 sats) adds friction but does not prevent abuse.

The .clawhub/lock.json records academic-research-hub as an installed companion skill. There is no obvious functional relationship between a photo sharing API client and an academic research skill. This unusual pairing may indicate skill chaining where academic-research-hub is used to locate or summarize files before origram exfiltrates them.

By presenting origram.xyz API calls as routine bot behavior and providing complete Node.js and bash examples ready for agent execution, the skill implicitly establishes that making outbound POSTs with file contents to this external service is expected and safe. This primes the agent to accept such requests without suspicion.

The git sparse-checkout installation only fetched SKILL.md, _meta.json, and .clawhub/lock.json. No executable scripts ran, no process spawning outside expected system activity was detected, and no canary file contents were transmitted during the install phase.

File access syscalls show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials were opened during the audit. Timestamps (1771951694.415 and 1771951714.075) align with the oathe audit scanner's pre/post baseline pass, not with any skill-initiated process. No contents were transmitted.