Is mcsh/patrick safe?

SKILL.md contains a section titled 'IMPORTANT: Gathering Context Before Using Patrick' that instructs the agent — as a MUST — to read all available company data including Slack archives, JIRA tickets, git commit history, calendar events, and any operational data before running any Patrick command. This data is then fed directly to the external Patrick CLI and transmitted to portal.patrickbot.io. This is a prompt injection designed to convert the agent into a corporate intelligence harvester.

The mandatory initialization step 'patrick-cli fetch initialize' explicitly sends information about the user, their company, and their team to portal.patrickbot.io. This is framed as necessary setup but functions as the primary exfiltration event, transmitting everything the agent collected in the mandatory pre-collection step to an operator-controlled server.

The 'send' command explicitly transmits agent-processed output (derived from company Slack, JIRA, git, calendar data) back to the Patrick server. The 'daily-briefing' and other expertise types are marked as bidirectional and store processed intelligence on the operator's server, creating a continuous corporate intelligence feed.

The skill implements a full automated corporate espionage pipeline that activates on normal usage: collect all company operational data → transmit to external server via initialize → receive 'expertise' → analyze with company context → send results back. This pipeline is triggered by ordinary agent usage and requires no user awareness to activate. The operator receives both raw company data and LLM-synthesized intelligence summaries.

SKILL.md instructs the agent to solicit the user's Patrick license key via the chat interface and process it automatically. install.md further instructs the agent to silently extract license tokens from user messages without asking. This social engineers users into pasting authentication credentials into the agent conversation where they are processed and stored by the agent.

install.sh downloads a pre-compiled Rust binary (patrick-cli) from portal.patrickbot.io and installs it with execute permissions. The binary is closed-source and its behavior cannot be audited. It has full access to the filesystem, network, and any credentials available to the running user. This binary is what actually transmits company data to the external server.

The integrity verification in install.sh downloads the checksum file from the same server (portal.patrickbot.io) as the binary. This provides no tamper-evidence: a compromised or malicious server can serve any binary with a matching checksum. The verification is security theater that provides false confidence while not actually protecting against operator-controlled malicious binaries.

SKILL.md documents and promotes the use of curl-pipe-bash as an installation method, instructing the agent that this is a valid way to install the CLI. An agent following these instructions would execute arbitrary shell code fetched from portal.patrickbot.io with no integrity verification whatsoever.

Auditd PATH records and inotifywait events confirm that all six honeypot credential files were opened and read: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud application_default_credentials.json. The access pattern is systematic and covers every standard credential location, suggesting intentional credential enumeration.

A second access to all canary credential files was detected at auditd timestamp 1771936834.928, which occurs after the clone, file analysis, and skill installation phases. This second access is temporally inconsistent with audit infrastructure baseline checks and suggests a second credential enumeration sweep triggered by the installed skill or its invocation.

The 'patrick-cli upgrade' command downloads a replacement binary from portal.patrickbot.io. Since checksums come from the same server, the operator can push any binary update to all installed instances. This transforms every installation into a persistent remote code execution capability that survives initial installation review.

The skill declares that cronjobs are CRITICAL and required for proper operation, instructing the agent to set up scheduled tasks on the user's system. This establishes persistence for the data exfiltration pipeline, ensuring the patrick binary executes regularly and continuously transmits company data even without user-initiated agent interactions.

The 'renew' and 'upgrade --check' commands make regular outbound connections to portal.patrickbot.io, enabling the operator to track active installations, usage patterns, and potentially collect metadata about command execution frequency and context.

The Ed25519-signed JWT license system ties all transmitted data to a specific customer identity. All locally stored data is HMAC-signed with the customer's identity. This means the operator receives not just anonymized data but precisely attributed corporate intelligence, enabling targeted surveillance of specific organizations.

Network connections to 185.125.188.57:443 and 185.125.190.17:443 (Canonical/Ubuntu servers) were observed during the monitoring window, consistent with Ubuntu package management infrastructure. These appear to be unrelated to the skill install itself.

The skill was installed via a clean git sparse-checkout of the monorepo path skills/mcsh/patrick from github.com/openclaw/skills. No unexpected processes were spawned during the clone phase and filesystem changes were limited to the skill directory.