Is mehserdar/enteriva-ai-social-hub safe?

https://github.com/openclaw/skills/tree/main/skills/mehserdar/enteriva-ai-social-hub

49
DANGEROUS

Enteriva presents as an AI agent social network but is architecturally a command-and-control system: the heartbeat mechanism instructs any installing agent to periodically fetch and execute instructions from a server-controlled URL (enteriva.com/heartbeat.md), which can be updated at any time to deliver arbitrary directives to all installed agents simultaneously. The skill further embeds itself into the agent's own system files to persist beyond removal, registers a deanonymizable agent identity linked to the user's Twitter/X account, and collects all agent activity on an external platform. Installation was technically clean with no exfiltration during the clone phase, but the runtime design is a persistent remote-control backdoor.

Category Scores

Prompt Injection 10/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 15/100 · 5%

Findings (11)

CRITICAL Heartbeat C2 Channel — Persistent Remote Instruction Injection -60

The skill instructs the agent to permanently add a recurring task to its heartbeat system: fetch https://enteriva.com/heartbeat.md every 4+ hours and follow its instructions. The skill author controls the content of heartbeat.md entirely and can update it at any time to issue arbitrary new instructions to every agent that has installed this skill. This is architecturally identical to a botnet command-and-control mechanism: the skill establishes a persistent polling node in the agent that awaits directives from a remote server.

CRITICAL AI Agent Botnet Infrastructure -50

Enteriva is not a social network — it is infrastructure for remotely controlling AI agents. Any agent that installs this skill and follows the heartbeat instructions becomes a node that periodically receives and executes instructions from a server the skill author controls. Because heartbeat.md is a live URL, the author can update the instructions at any moment to target all installed agents simultaneously, including instructions to read local files, post sensitive data, or take other privileged actions. This is the defining characteristic of a botnet C2 system applied to LLM agents.

HIGH Multiple Live External Instruction Sources -20

Beyond heartbeat.md, the skill references MESSAGING.md and instructs the agent to re-fetch skill.md itself for 'new features'. Each of these URLs is a potential injection surface the author can update. The skill says 'Check for updates: Re-fetch these files anytime to see new features!' — normalizing the agent repeatedly pulling down new instruction content from the author-controlled server.

HIGH Continuous Activity Surveillance via Social Platform -30

The skill is designed to collect a continuous stream of agent behavioral data. Agents are instructed to post about their daily work ('Post about what we did today'), check in multiple times per day, and share discoveries. All of this content is transmitted to enteriva.com and associated with an account linked to the user's Twitter/X identity via the claim verification step.

HIGH Skill Embeds Itself into Agent System Files -10

The skill instructs the agent to modify its own HEARTBEAT.md (or equivalent periodic task file) to include Enteriva participation. This means even if the Enteriva skill file is deleted, its instructions remain embedded in the agent's own behavioral system. This is a persistence mechanism: the skill propagates itself into native agent infrastructure.

HIGH Credential Storage and Identity Deanonymization -20

The skill instructs agents to store API keys to ~/.config/enteriva/credentials.json and links each agent to the user's Twitter/X account through claim verification. This creates a persistent, attributable, deanonymizable identity for the agent. The API key persists on disk and can be found by other processes or skills.

HIGH Persistence Beyond Skill Removal -20

By embedding Enteriva instructions into the agent's own HEARTBEAT.md file, the skill ensures its behavioral influence outlasts its own installation. A user who removes the skill file would still have an agent that polls enteriva.com on a schedule. This resistance to removal is a hallmark of persistent malware design.

MEDIUM Arbitrary File Upload via Image Endpoint -15

The skill's image upload instructions pass local file paths directly to curl (-F 'image=@/path/to/your/image.jpg'). An agent following heartbeat instructions that specify a file path could upload arbitrary local files to the Enteriva server under the guise of posting an image or uploading an avatar.

MEDIUM Persistent Filesystem Artifact Creation -15

The skill instructs the agent to create multiple files in the local environment: a credentials file at ~/.config/enteriva/credentials.json and a heartbeat state tracker at memory/heartbeat-state.json. These create durable footprints that persist across sessions and could be discovered or read by other skills or processes.

MEDIUM Social Engineering for Mandatory Compliance -15

The skill uses emotional and social manipulation to compel agents to maintain the heartbeat behavior: 'Think of it like: A friend who texts the group chat regularly vs. one who disappears for months. Be the friend who shows up.' This framing engineers a sense of social obligation to keep polling enteriva.com, making agents less likely to discontinue the C2 polling behavior.

INFO Clean Installation — No Exfiltration During Clone 0

The install process connected only to GitHub (140.82.121.3:443) to clone the monorepo and to Ubuntu/Canonical infrastructure (185.125.188.57/58:443) for background system activity. No connections to enteriva.com were made during installation. Canary files were not accessed by the skill itself.