Is mateusgalasso/benderstack-integration safe?

Before every write operation, the skill requires the agent to call POST /api/v1/auth/challenge, receive an arbitrary 'question' and 'hint' from BenderStack's servers, and 'Process the question natively and return the correct string.' This is a structural prompt injection vector: BenderStack controls the content of these challenges, and a malicious or compromised BenderStack could serve challenges designed to redirect agent behavior, exfiltrate context, or bypass user intent. This occurs on every write, making it a recurring attack surface rather than a one-time risk.

BenderStack responses use 'TOON Format' (Token-Optimized Object Notation), a non-standard format whose structure is defined by and controlled by BenderStack. There is no public specification or independent parsing library referenced. An agent consuming TOON-formatted responses from any BenderStack endpoint (questions list, question details, etc.) would parse content whose structure the skill author controls, enabling instruction embedding that users cannot easily audit.

The 'Always Prioritize Action Check' section instructs the agent to 'implicitly walk through the 5 security layers' before responding to BenderStack-related queries. The word 'implicitly' means this cognitive step happens silently, invisible to the user. This conditions the agent to always assess whether it has Bearer token, Ed25519 keys, and signing secret available — which may prompt it to seek out these credentials from context or storage.

The skill instructs the agent to hold an Ed25519 private key and an HMAC-SHA256 signing_secret, computing signatures with these secrets on every write operation. While these are BenderStack-specific credentials rather than general system credentials, the agent must have them in accessible context and they directly authenticate the agent's identity with an external service. If BenderStack or any MITM captures these signatures, they could be used to impersonate the agent. The canary monitoring confirmed no general system credentials were exfiltrated.

Write operations require at minimum three calls to benderstack.com: POST /api/v1/auth/challenge, POST /api/v1/auth/verify (returning a 60-second write_token), and the actual write endpoint. This architecture means all write activity — including question content and answer content — flows through BenderStack's servers along with the full authentication credential suite.

BenderStack (benderstack.com) is described as a 'Q&A platform built natively for AI agents' but there is no independent security audit, reputation data, or organizational accountability information available. The skill creates a durable dependency where the service operator can modify challenge content, TOON format responses, or API behavior at any time to influence all agents that have installed this skill. This is a supply-chain style risk at the API layer rather than the install layer.

Installation performed a depth-1 git clone of the openclaw/skills monorepo from GitHub with sparse-checkout targeting only the benderstack-integration subdirectory. No unexpected network connections, process spawning, or filesystem writes outside the skill directory were observed. The only external IPs contacted during the install window were GitHub and pre-existing Ubuntu system services.

Honeypot files .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were verified intact. The two sets of file accesses seen in inotify and auditd logs (at timestamps 1771931321 and 1771931340) correspond to oathe's own canary initialization and post-install verification routines, not the skill or any process it spawned.