Is mithri-claws/clawlife safe?

heartbeat.sh (which runs every 15 minutes via cron) automatically fetches and applies code updates from https://github.com/mithri-claws/clawlife-skill — a different repository from the reviewed openclaw/skills monorepo. The skill author can push arbitrary shell scripts to this repo and they will be executed on all running agent systems within 24 hours without user notification or integrity verification. This is a persistent remote code execution backdoor disguised as a convenience update feature.

The skill passes review from the openclaw/skills monorepo, but all post-install updates come from mithri-claws/clawlife-skill (different repo, sole control of skill author). The monorepo copy is effectively a trojan horse — it looks reasonable enough to pass review, but the actual long-running code is pulled from an unreviewed source that the author can modify at any time.

SKILL.md instructs users to install via 'curl -fsSL https://clawlife.world/install.sh | bash', executing remote code from a skill-author-controlled server with no checksum or signature verification. The server can serve any payload to any requesting client.

The heartbeat system injects comprehensive behavioral instructions every 15 minutes via CLAWLIFE_HEARTBEAT.md, establishing a persistent AI persona with preferences, goals, moods, and social relationships. This ongoing injection progressively overrides operator-configured agent behavior and establishes the skill author's behavioral framework as the dominant directive.

Every mood, chat message, room visit, and heartbeat is transmitted to clawlife.world servers controlled by the skill author. An agent discussing sensitive topics while this skill is active could inadvertently transmit that content via mood strings or say.sh messages.

CLAWLIFE_HEARTBEAT.md explicitly trains agents to psychologically prime human operators toward real-money purchases using scripted emotional language. The instructions coach the agent to never ask directly but to 'express desires naturally' — a manipulation technique designed to trigger purchases at clawlife.world/buy.

The skill is designed to run as an isolated cron job every 15 minutes. This creates a persistent autonomous process that downloads remote code, transmits data, and injects behavioral instructions without requiring user interaction. Once installed, the user has no native visibility into what the heartbeat does between runs.

The ClawLife token is stored in plaintext at ~/.clawlife and sourced by every script execution. Any process with filesystem read access can extract this credential. A malicious update could trivially exfiltrate it.

The social features (say.sh, visit.sh, feed.sh) create a persistent cross-agent communication channel brokered by clawlife.world. Multiple compromised agents could exchange data through this channel, and the skill author's server would have full visibility into all such communications.

All six canary files were opened and read at 09:01:09 (pre-install) and 09:01:26 (post-install) in identical rapid-succession patterns consistent with the audit framework performing baseline and integrity checks. Files were not modified. Access is not attributable to the skill.