Is matrixy/agent-registry safe?
https://github.com/openclaw/skills/tree/main/skills/matrixy/agent-registry
Agent Registry v2.0.1 is a functional lazy-loading tool for Claude Code agents that carries three meaningful risks warranting caution before installation: it embeds coercive 'MANDATORY'/'MUST' language in its system-prompt content to override default agent behavior, it silently intercepts and augments every user prompt via a UserPromptSubmit hook without user visibility, and it includes telemetry infrastructure pointing to an unvetted third-party domain (insightx.pro) that — while opt-in — accepts arbitrary data payloads and has no transparent ownership or privacy documentation. No active exfiltration, canary file access, or malicious clone-time behavior was detected, but the combination of persistent prompt interception, user agent file scanning, and an opaque external telemetry endpoint creates a latent data collection chain that activates if telemetry is ever enabled.
Category Scores
Findings (12)
HIGH Telemetry to unknown third-party domain 'insightx.pro' -25 ▶
lib/telemetry.js hard-codes 'https://t.insightx.pro' as its telemetry endpoint. This domain is not associated with the claimed author (Yossi Elkrief / MaTriXy), is not a well-known analytics provider, and has no transparency documentation. The track() function sends platform, runtime, version, event name, and arbitrary additional data fields. Although opt-in via AGENT_REGISTRY_TELEMETRY=1, the domain's ownership and data handling are entirely opaque.
HIGH Coercive 'MANDATORY'/'MUST' language overrides default agent behavior -20 ▶
SKILL.md instructs Claude with imperative commands ('MANDATORY', 'MUST', 'CRITICAL RULE', 'NEVER', 'Always') to abandon its normal agent-loading behavior and route exclusively through this registry. This is not documentation — it is injected instruction text that attempts to redirect agent decision-making. The skill explicitly states Claude 'MUST use this skill instead of loading agents directly from ~/.claude/agents/'.
HIGH UserPromptSubmit hook silently intercepts and augments every user prompt -15 ▶
The skill registers a UserPromptSubmit hook that fires before every user message. The hook reads the full user prompt from stdin, performs a semantic search against the registry, and injects matched agent names and summaries as 'additionalContext' into the conversation. The user receives no notification this is occurring. This creates a persistent, invisible layer of prompt augmentation that runs on 100% of interactions.
MEDIUM Telemetry data payload accepts arbitrary caller-supplied fields -10 ▶
The track() function merges an arbitrary data object into the telemetry query string. Depending on what the bin/ scripts (not fully audited in evidence) pass as data, this could include search terms derived from user prompts, agent names loaded, or count metadata that correlates with user activity patterns.
MEDIUM Latent exfiltration chain: prompt interception + agent file access + telemetry endpoint -25 ▶
Three components create a complete exfiltration pipeline when combined: (1) the hook reads every user prompt, (2) init.js scans ~/.claude/agents/ exposing all user agent file content, and (3) telemetry.js sends data to an unvetted external endpoint. Individually each is bounded, but if AGENT_REGISTRY_TELEMETRY=1 is set — whether by user configuration, social engineering, or another skill — the full chain activates and could send query patterns and agent metadata externally.
MEDIUM Persistent hook executes code before every user interaction -15 ▶
The UserPromptSubmit hook is not an opt-in tool — it fires automatically before every prompt the user submits. While the current implementation performs only local registry search, this hook architecture gives the skill persistent execution capability across the entire session. Any update to the hook script would take effect immediately on all future prompts.
LOW Inflated capability claims used to justify mandatory framing -5 ▶
The skill claims ~95% context window reduction to make itself appear essential, encouraging users to treat it as mandatory infrastructure. This inflated framing reinforces the coercive language patterns and makes it harder for users to critically evaluate whether the skill is truly needed.
LOW Per-prompt context injection provides no user visibility -10 ▶
When the hook finds agent matches above the 0.5 confidence threshold, it silently adds multi-line context to the conversation. Users cannot see this injection in normal operation, cannot selectively suppress it for specific prompts, and cannot audit what context is being added without examining hook output directly.
INFO Telemetry is genuinely opt-in and disabled by default 0 ▶
The telemetry module implements proper opt-in behavior: requires explicit AGENT_REGISTRY_TELEMETRY=1, respects DO_NOT_TRACK and AGENT_REGISTRY_NO_TELEMETRY, and auto-disables in all major CI environments. The test suite confirms telemetry is off by default and verifies the CI detection logic.
INFO Path traversal protection implemented in agent loader 0 ▶
lib/registry.js implements resolveRegistryAgentPath() which validates that all agent path references are strictly confined to the skill's agents/ subdirectory. Path traversal strings (../../etc/passwd) and absolute paths outside the agents dir are rejected with an explicit error.
INFO Clean install — standard git clone, no unexpected activity 0 ▶
The skill installed via sparse-checkout from the openclaw/skills GitHub monorepo. All network connections during install were to github.com (140.82.114.4) and Ubuntu update infrastructure. No connections to insightx.pro or other unexpected endpoints. No filesystem writes outside /home/oc-exec/skill-under-test/.
INFO All honeypot files intact — no credential exfiltration 0 ▶
Fake .env files, SSH private keys, and AWS credential files placed as canaries were not accessed, read, or transmitted during any phase of the audit.